Malicious Scripts and Backdoors Target Critical WordPress Plugin Flaws
A new wave of cyberattacks is exploiting vulnerabilities in three widely-used WordPress plugins, injecting malicious scripts and backdoors into websites, warns Fastly. These critical flaws enable attackers to execute unauthenticated stored cross-site scripting (XSS) attacks, facilitating the creation of unauthorized WordPress administrator accounts, the injection of PHP backdoors into plugin and theme files, and the setup of tracking scripts to monitor compromised sites.
Fastly has observed a significant number of exploitation attempts emanating from IPs linked to the Autonomous System (AS) IP Volume Inc. The impacted plugins include WP Statistics, WP Meta SEO, and LiteSpeed Cache, affecting millions of active installations.
Table of Contents
WP Statistics Vulnerability: CVE-2024-2194
The first vulnerability affects the WP Statistics plugin, which boasts over 600,000 active installations. Tracked as CVE-2024-2194, this flaw allows attackers to inject scripts via the URL search parameter. Disclosed in March, it impacts versions 14.5 and earlier. The injected scripts execute whenever a user accesses an infected page, with attackers adding the 'utm_id' parameter to requests to ensure the payload appears on the most visited pages.
WP Meta SEO Vulnerability: CVE-2023-6961
The second vulnerability, CVE-2023-6961, affects the WP Meta SEO plugin, with over 20,000 active installations. This bug allows attackers to inject a payload into pages generating a 404 response. When an administrator loads such a page, the script fetches obfuscated JavaScript code from a remote server. If the administrator is authenticated, the payload can steal their credentials.
LiteSpeed Cache Vulnerability: CVE-2023-40000
The third vulnerability, CVE-2023-40000, targets the LiteSpeed Cache plugin, which has over 5 million active installations. Attackers disguise the XSS payload as an admin notification, triggering the script upon an administrator's access to a backend page. This allows the script to execute using the administrator's credentials for subsequent malicious actions.
Fastly's investigation has identified five domains referenced in the malicious payloads, along with two additional domains used for tracking, at least one of which has been previously associated with the exploitation of vulnerable WordPress plugins. Website administrators using the affected plugins are advised to update to the latest versions immediately and monitor their sites for any suspicious activity.