Three WordPress plugins, WP Statistics, WP Meta SEO, and LiteSpeed Cache, with millions of installations combined, have been discovered to have critical vulnerabilities that allow attackers to carry out cross-site scripting attacks, inject PHP backdoors in plugin and theme files, and set up tracking scripts to monitor infected targets.
Security researchers at Fastly brought the vulnerabilities to light, who claim a significant increase in exploitation attempts. These attempts seem to be associated with the Autonomous System (AS) IP Volume Inc., with a geographic concentration in the Netherlands. The researchers also discovered five domains as references in the attack payloads, with two additional domains used in the final tracking phase.
The first vulnerability, with the CVE ID CVE-2024-2194, affects the WP Statistics plugin versions 14.5 and earlier. Tim Coen first disclosed it on March 11, 2024, and it has since been patched in an update. The plugin has over 600,000 active installations, but nearly 48% of the websites using it are still using versions lower than 14.5, making them vulnerable to the attack.
The attack in question is a cross-site scripting attack (XSS), allowing hackers to inject arbitrary web scripts via the URL search parameter. These malicious scripts are run any time a user accesses the infected page. Additionally, attackers may send repeated requests containing the malicious payload to ensure the most visited pages get infected. If exploited successfully, the attack lets a hacker create an administrator account on the affected WordPress website.
WP Meta SEO is another plugin affected by these vulnerabilities. The vulnerability affecting the plugin is CVE-2023-6961, impacting versions 4.5.12 and earlier. It allows a cross-site scripting attack via the Referer HTTP header. The payload is sent to a page that generates the 404 error code on the targeted website. The credentials are extracted if the victim is authenticated (if the WordPress admin is logged in).
The plugin has over 20,000 active installations, with about 27% of websites using vulnerable version 4.5 or lower. The vulnerability was first disclosed on April 16, 2024, by researcher Krzysztof ZajÄ…c from CERT PL.
The worst vulnerability of the three, CVE-2023-40000, potentially affects the LiteSpeed Cache plugin versions 5.7.0.1 and earlier. The plugin has more than five million active installations, and Fastly reports that nearly 15.7% of all websites using it still haven’t updated to the patched versions.
Patchstack disclosed the vulnerability in February 2024. It allows cross-site scripting attacks on vulnerable sites. The payload is disguised as an admin notification urging an admin to access any backend page, triggering the vulnerability. Once triggered, it can extract admin credentials from the targeted websites, giving the attackers unfettered access.
In the News: Europol crackdowns on malicious droppers; 4 arrested and 100+ servers seized
