XSS Flaws In Multiple WordPress Plugins Exploited To Deploy Malware

Researchers uncovered a new wave of malware attacks against WordPress websites, exploiting known XSS vulnerabilities in different WordPress plugins to deploy malware. Users must ensure updating their sites with the latest plugin releases to avoid the threat.

New Malware Campaigns Exploits XSS In Different WordPress Plugins

Reportedly, the threat actors have devised a new malware campaign leveraging the general practice of site admins, leaving their sites running with vulnerable plugin versions. In the recent campaign, the attackers exploited different cross-site scripting (XSS) vulnerabilities in three different WordPress plugins to deploy malware.

As explained in their post, researchers from the security team Fastly observed active exploitation of the following three XSS vulnerabilities.

  • CVE-2023-6961 (CVSS 7.2): A high-severity XSS affecting the WP Meta SEO plugin. The stored XSS impacted the ‘Referer’ header, allowing an unauthenticated adversary to inject arbitrary scripts on web pages that would execute following users’ page visits. The plugin developers patched this vulnerability with v.4.5.13.
  • CVE-2023-40000 (CVSS 8.3): Another high-severity vulnerability affecting the LiteSpeed Cache Plugin. The developers addressed this flaw with the plugin version 5.7.0.1, released in October 2023.
  • CVE-2024-2194 (CVSS 7.2): This high-severity stored XSS flaw affected the URL search parameter in the WP Statistics plugin. It impacted the plugin versions 14.5 and earlier, eventually receiving a patch with version 14.5.1

Fastly researchers observed a new JavaScript malware exploiting these flaws. As stated,

The attack payloads we are observing targeting these vulnerabilities inject a script tag that points to an obfuscated JavaScript file hosted on an external domain.

Specifically, this malware performs three main functions: installing PHP backdoors, creating rogue admin accounts, and setting up tracking scripts to monitor the targeted sites.

While the developers have adequately patched all three vulnerabilities, the active exploitation of the flaws in the wild clearly hints at the users’ ignorance about ensuring prompt site updates. Now that the threat is already in the wild, WordPress admins must ensure that these WP plugins (and all others running on their sites) are updated with the latest releases to receive all security fixes.

Let us know your thoughts in the comments.