Cybersecurity sleuths have sounded the alarm on numerous critical security flaws in WordPress plugins being actively manipulated by nefarious actors to establish rogue administrator profiles for further malevolent endeavors.
“These security gaps are detected across diverse WordPress plugins and are susceptible to unauthenticated persistent cross-site scripting (XSS) attacks due to deficient input sanitization and output escaping, enabling malefactors to embed malevolent scripts,” elucidated Fastly researchers Simran Khalsa, Xavier Stevens, and Matthew Mathur.
The pertinent security defects are cataloged below:
- CVE-2023-6961 (CVSS score: 7.2) – Unauthenticated Persistent Cross-Site Scripting in WP Meta SEO ≤ 4.5.12
- CVE-2023-40000 (CVSS score: 8.3) – Unauthenticated Persistent Cross-Site Scripting in LiteSpeed Cache ≤ 5.7
- CVE-2024-2194 (CVSS score: 7.2) – Unauthenticated Persistent Cross-Site Scripting in WP Statistics ≤ 14.5
The exploitative sequences leveraging these vulnerabilities involve injecting a payload linked to an obfuscated JavaScript file hosted on an external domain. This script is responsible for creating a novel admin account, implanting a backdoor, and instituting surveillance scripts.
The PHP backdoors are embedded within both plugin and theme files, while the tracking script is engineered to dispatch an HTTP GET request carrying the HTTP host data to a remote server (“ur.mystiqueapi[.]com/?ur”).
Fastly reported observing a substantial fraction of the exploitation attempts originating from IP addresses tied to the Autonomous System (AS) IP Volume Inc. (AS202425), with a significant portion emanating from the Netherlands.
It’s noteworthy that WordPress security firm WPScan previously disclosed analogous attack campaigns targeting CVE-2023-40000 to create unauthorized admin accounts on vulnerable websites.
To abate the hazards posed by these incursions, it’s advised that WordPress site proprietors scrutinize their installed plugins, implement the latest updates, and audit their sites for indications of malware or the presence of dubious administrator users.
