Vulnerabilities in three WordPress plugins are being exploited to inject malicious scripts and backdoors into websites, according to a warning from Fastly.
The flaws can be exploited to execute unauthenticated stored cross-site scripting attacks, allowing attackers to create a new WordPress administrator account, inject PHP backdoors in plugin and theme files, and set up tracking scripts to monitor the infected targets.
According to Fastly, there has been a significant number of exploitation attempts originating from IPs associated with the Autonomous System IP Volume Inc. Impacting the WP Statistics plugin, which has over 600,000 active installations, the first bug allows attackers to inject scripts via the URL search parameter.
Disclosed in March and impacting versions 14.5 and earlier of the plugin, the security defect is tracked as CVE-2024-2194.
The second bug, CVE-2023-6961, impacts the WP Meta SEO plugin versions 4.5.12 and earlier.
The attackers have been exploiting the bug to inject a payload into pages generating a 404 response.
When the page is loaded in an administrator's browser, the script pulls obfuscated JavaScript code from a remote server and, if the victim is authenticated, the payload steals their credentials.
As part of the campaign, threat actors have been also exploiting CVE-2023-40000, a vulnerability in the LiteSpeed Cache plugin versions 5.7.0.1 and earlier.
The attackers were seen disguising the XSS payload as an admin notification.
Fastly says it has identified five domains being referenced in the malicious payloads, along with two additional domains used for tracking.
At least one of these domains was previously associated with the exploitation of vulnerable WordPress plugins.
This Cyber News was published on www.securityweek.com. Publication date: Thu, 30 May 2024 15:43:05 +0000