Lucene search

The Hacker NewsTHN:C769BA2578F3676F70D28FDE4C506147

HistoryMay 30, 2024 - 1:49 p.m.

Researchers Uncover Active Exploitation of WordPress Plugin Vulnerabilities

2024-05-3013:49:00

The Hacker News

thehackernews.com

wordpress

plugin vulnerabilities

exploitation

rogue administrator

cross-site scripting

security flaws

cve

fastly researchers

php backdoors

tracking scripts

ip addresses

autonomous system

netherlands

wpscan

malware mitigation

software updates.

8.3 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

6.1 Medium

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

17.1%

JSON

Cybersecurity researchers have warned that multiple high-severity security vulnerabilities in WordPress plugins are being actively exploited by threat actors to create rogue administrator accounts for follow-on exploitation.

“These vulnerabilities are found in various WordPress plugins and are prone to unauthenticated stored cross-site scripting (XSS) attacks due to inadequate input sanitization and output escaping, making it possible for attackers to inject malicious scripts,” Fastly researchers Simran Khalsa, Xavier Stevens, and Matthew Mathur said.

The security flaws in question are listed below -

CVE-2023-6961 (CVSS score: 7.2) - Unauthenticated Stored Cross-Site Scripting in WP Meta SEO <= 4.5.12
CVE-2023-40000 (CVSS score: 8.3) - Unauthenticated Stored Cross-Site Scripting in LiteSpeed Cache <= 5.7
CVE-2024-2194 (CVSS score: 7.2) - Unauthenticated Stored Cross-Site Scripting in WP Statistics <= 14.5

Attack chains exploiting the flaws involve injecting a payload that points to an obfuscated JavaScript file hosted on an external domain, which is responsible for creating a new admin account, inserting a backdoor, and setting up tracking scripts.

The PHP backdoors are injected into both plugin and theme files, while the tracking script is designed to send an HTTP GET request containing the HTTP host information to a remote server (“ur.mystiqueapi[.]com/?ur”).

Fastly said it detected a significant proportion of the exploitation attempts originating from IP addresses associated with the Autonomous System (AS) IP Volume Inc. (AS202425), with a chunk of it coming from the Netherlands.

It’s worth noting that WordPress security company WPScan previously disclosed similar attack efforts targeting CVE-2023-40000 to create rogue admin accounts on susceptible websites.

To mitigate the risks posed by such attacks, it’s recommended that WordPress site owners review their installed plugins, apply the latest updates, and audit the sites for signs of malware or the presence of suspicious administrator users.

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.