Thousands of websites running on WordPress have been compromised by SoakSoak malware, which works by exploiting a security flaw in a third party plug-in.
Following the discovery of the flaws, Google has blacklisted over 11,000 domains hosting WordPress websites that might have been affected with the malware, according to California-based security company Sucuri.
ThemePunch, the makers of the $18 plug-in called Slider Revolution, has admitted that its plug-in had a vulnerability which was discovered in February of this year.
The vulnerability could allow installation of malicious SoakSoak code, which infects the systems used to access the infected website.
ThemePunch did not disclose the vulnerability to prevent mass exploitation of the flaw, instead trying to fix the problem by developing 29 security fixes from February through to September.
Themepunch said: "We as a team would like to apologize officially to our clients for the problems that arised due to the security exploit in Revolution Slider Plugin versions older than 4.2.""
The plug-in maker has also advised WordPress users to update all plug-ins used in the website to reduce the damage, and has also asked developers to use WordPress security plug-ins like Wordfence, which can block the vulnerability in some cases.
Security firm Sucuri said: "We cannot confirm the exact vector, but preliminary analysis is showing correlation with the Revslider vulnerability we reported a few months back."
