Researchers Uncover Active Exploitation of WordPress Plugin Vulnerabilities

Cybersecurity experts have cautioned that various high-severity security vulnerabilities in WordPress plugins are being actively exploited by threat actors to generate rogue administrator accounts for follow-on exploitation.

"These vulnerabilities are found in various WordPress plugins and are prone to unauthenticated stored cross-site scripting (XSS) attacks due to inadequate input sanitization and output escaping, making it possible for attackers to inject malicious scripts," Fastly researchers Simran Khalsa, Xavier Stevens, and Matthew Mathur said.

The security issues in concern are stated below -

CVE-2023-6961 (CVSS score: 7.2) - Unauthenticated Stored Cross-Site Scripting in WP Meta SEO <= 4.5.12 CVE-2023-40000 (CVSS score: 8.3) - Unauthenticated Stored Cross-Site Scripting in LiteSpeed Cache <= 5.7 CVE-2024-2194 (CVSS score: 7.2) - Unauthenticated Stored Cross-Site Scripting in WP Statistics <= 14.5

Attack chains leveraging the holes entail injecting a payload that leads to an obfuscated JavaScript file stored on an external site, which is responsible for establishing a new admin account, installing a backdoor, and setting up tracking scripts.

The PHP backdoors are injected into both plugin and theme files, while the tracking script is meant to send an HTTP GET request with the HTTP host information to a remote server ("ur.mystiqueapi[.]com/?ur").

Fastly claimed it discovered a considerable fraction of the exploitation attempts arriving from IP addresses linked with the Autonomous System (AS) IP Volume Inc. (AS202425), with a chunk of it coming from the Netherlands.

It's worth mentioning that WordPress security vendor WPScan has uncovered similar attack operations targeting CVE-2023-40000 to establish rogue admin accounts on vulnerable websites.

To combat the dangers presented by such assaults, it's advised that WordPress site owners verify their installed plugins, apply the latest updates, and audit the sites for evidence of malware or the existence of suspicious administrator users.

Post a Comment