Critical WordPress Plugin Flaws Exploited to Inject Malicious Scripts and Backdoors

Vulnerabilities in three WordPress plugins are being exploited to inject malicious scripts and backdoors into websites, according to a warning from Fastly.

The flaws can be exploited to execute unauthenticated stored cross-site scripting (XSS) attacks, allowing attackers to create a new WordPress administrator account, inject PHP backdoors in plugin and theme files, and set up tracking scripts to monitor the infected targets.

According to Fastly, there has been a significant number of exploitation attempts originating from IPs associated with the Autonomous System (AS) IP Volume Inc.

Impacting the WP Statistics plugin, which has over 600,000 active installations, the first bug allows attackers to inject scripts via the URL search parameter. Disclosed in March and impacting versions 14.5 and earlier of the plugin, the security defect is tracked as CVE-2024-2194.

“These scripts are executed whenever a user accesses an injected page. The attacker repeatedly sends requests containing this payload to ensure it appears on the most visited pages, adding the ‘utm_id’ parameter to these requests,” Fastly said in an advisory.

The second bug, CVE-2023-6961, impacts the WP Meta SEO plugin versions 4.5.12 and earlier. The plugin has over 20,000 active installations.

The attackers have been exploiting the bug to inject a payload into pages generating a 404 response. When the page is loaded in an administrator’s browser, the script pulls obfuscated JavaScript code from a remote server and, if the victim is authenticated, the payload steals their credentials.

As part of the campaign, threat actors have been also exploiting CVE-2023-40000, a vulnerability in the LiteSpeed Cache plugin versions and earlier. The plugin has over 5 million active installations.

Advertisement. Scroll to continue reading.

The attackers were seen disguising the XSS payload as an admin notification. As soon as an administrator would access a backend page, the script would “execute using their credentials for subsequent malicious actions”.

Fastly says it has identified five domains being referenced in the malicious payloads, along with two additional domains used for tracking. At least one of these domains was previously associated with the exploitation of vulnerable WordPress plugins.

Related: Critical WordPress Plugin Flaw Exploited to Inject Backdoors

Related: Critical Vulnerability Found in LayerSlider Plugin on WordPress Sites

Related: Discontinued Security Plugins Expose WordPress Sites to Takeover