Digital Climate Strike WP <= 1.0.0 - Redirect to Malicious Website due to Compromised JS Asset

Description

The plugin loads a JavaScript asset from a remote website which seems to have been compromised. The widget.js file, loaded from https://assets.digitalclimatestrike.net/widget.js, redirects users to gladdiator[dot]io and is being flagged as malicious.

I've reported this to the plugin authors but have not heard anything back yet.

Proof of Concept

The PoC will be displayed once the issue has been remediated

Affects Plugins

digital-climate-strike-wp

No known fix - plugin closed

References

URL

https://github.com/fightforthefuture/digital-climate-strike-wp/issues/13

Classification

Type

REDIRECT

OWASP top 10

A1: Injection

CWE

CWE-601

Miscellaneous

Original Researcher

Steve Perry

Submitter

Steve Perry

Submitter website

https://steveperrycreative.com

Submitter twitter

stevemarkperry

Verified

WPVDB ID

70ac3402-6ff7-48f5-b115-50e6b26f70de

Timeline

Publicly Published

2021-01-21 (about 3 months ago)

Added

2021-01-21 (about 3 months ago)

Last Updated

2021-01-22 (about 3 months ago)

Our Other Services

WPScan WordPress Security Plugin