Critical WordPress Plugin Vulnerabilities Exploited to Create Rogue Admin Accounts
Charles M. Walls | May 30, 2024 | Views: 144
Cybersecurity experts have issued a warning about several critical security vulnerabilities in WordPress plugins that are being actively exploited by malicious actors. These attackers are using the vulnerabilities to create unauthorized administrator accounts, paving the way for further exploitation.
Researchers from Fastly, including Simran Khalsa, Xavier Stevens, and Matthew Mathur, highlighted that these vulnerabilities exist in various WordPress plugins. They are particularly susceptible to unauthenticated stored cross-site scripting (XSS) attacks due to poor input sanitization and output escaping. This allows attackers to inject harmful scripts into the plugins.
The identified security flaws include:
- CVE-2023-6961 (CVSS score: 7.2) - Unauthenticated Stored Cross-Site Scripting in WP Meta SEO versions up to 4.5.12
- CVE-2023-40000 (CVSS score: 8.3) - Unauthenticated Stored Cross-Site Scripting in LiteSpeed Cache versions up to 5.7
- CVE-2024-2194 (CVSS score: 7.2) - Unauthenticated Stored Cross-Site Scripting in WP Statistics versions up to 14.5
The attack strategy involves injecting a payload that links to a concealed JavaScript file hosted on an external domain. This file is responsible for creating a new admin account, embedding a backdoor, and installing tracking scripts.
The PHP backdoors are inserted into both plugin and theme files, while the tracking script sends an HTTP GET request with the host information to a remote server ("ur.mystiqueapi[.]com/?ur").
Fastly noted that a significant portion of these exploitation attempts are coming from IP addresses linked to the Autonomous System (AS) IP Volume Inc. (AS202425), with many originating from the Netherlands.
It's important to mention that WordPress security firm WPScan previously reported similar attacks targeting CVE-2023-40000, aiming to create unauthorized admin accounts on vulnerable websites.
To protect against these threats, WordPress site owners should review their installed plugins, apply the latest updates, and audit their sites for any signs of malware or unauthorized admin accounts. Regular maintenance and vigilance are key to mitigating these risks.