Three high-severity vulnerabilities that are prone to unauthenticated cross-site scripting (XSS) attacks that let attackers inject malicious scripts via leading WordPress plug-ins were observed.
The bugs could potentially impact nearly 6 million WordPress installations, so security pros advised taking them seriously.
In a May 29 blog post, Fastly researchers said the attack payloads they observed inject a script tag that points to an obfuscated JavaScript file hosted on an external domain.
The researchers said the script used to target each of the bugs was identical, focused on the following malicious actions: creating a new admin account; injecting backdoors, and setting up tracking scripts, apparently to monitor infected sites.
The first bug – CVE-2024-2194 – affected WPStatistics, which has more than 600,000 installations. The second bug – CVE-2023-6961 – hit the WP Meta SEO plug-in that has more than 20,000 installations. And finally, CVE-2023-40000 – hit the LiteSpeed Cache plug-in, which has well more than 5 million installations.
Adam Neel, threat detection engineer at Critical Start, said these WordPress bugs let attackers steal admin credentials via XSS. Neel added that WordPress admins have capabilities that security teams would not want in the hands of an attacker, such as removing other users, deleting pages, and being able to see all backend content.
“This is a wealth of information and power for attackers to have, so it’s imperative for website administrators to update the vulnerable plugins,” said Neel. “Ensure all WordPress plugins are updated to the latest versions.”
Lionel Litty, chief security architect at Menlo Security, added that there are mechanisms to mitigate the impact of this type of stored XSS vulnerability, namely the Content Security Policy header. Unfortunately, Litty said too few web servers have this deployed and even the ones that do often have a policy that is too lax to be effective.
“This is a good reminder to examine the sensitive web applications you are using to see if they have adequate hardening in place,” said Litty. “If they don't, ask your vendor about it.”
Critical Start’s Neel recommended the following remediation steps for security pros to consider:
- Review user accounts with administrative privileges. Remove any suspicious accounts, especially the "admim" account commonly created by attackers.
- Scan files for unexpected modifications, particularly looking for injected scripts such as: <script src="hxxps://assets.scontentflow[.]com"></script> or <script src="hxxps://cache.cloudswiftcdn[.]com"></script>.
- Watch for any unusual outbound requests directed to Yandex tracking links or the URL "hxxp://ur.mystiqueapi[.]com/?ur". This could show that the attacker's backdoor is active.
