(Adobe Stock)
Three high-severity vulnerabilities that are prone to unauthenticated cross-site scripting (XSS) attacks that let attackers inject malicious scripts via leading WordPress plug-ins were observed.
The bugs could potentially impact nearly 6 million WordPress installations, so security pros advised taking them seriously.
In a May 29 blog post, Fastly researchers said the attack payloads they observed inject a script tag that points to an obfuscated JavaScript file hosted on an external domain.
The researchers said the script used to target each of the bugs was identical, focused on the following malicious actions: creating a new admin account; injecting backdoors, and setting up tracking scripts, apparently to monitor infected sites.
The first bug – CVE-2024-2194 – affected WPStatistics, which has more than 600,000 installations. The second bug – CVE-2023-6961 – hit the WP Meta SEO plug-in that has more than 20,000 installations. And finally, CVE-2023-40000 – hit the LiteSpeed Cache plug-in, which has well more than 5 million installations.
Adam Neel, threat detection engineer at Critical Start, said these WordPress bugs let attackers steal admin credentials via XSS. Neel added that WordPress admins have capabilities that security teams would not want in the hands of an attacker, such as removing other users, deleting pages, and being able to see all backend content.
“This is a wealth of information and power for attackers to have, so it’s imperative for website administrators to update the vulnerable plugins,” said Neel. “Ensure all WordPress plugins are updated to the latest versions.”
Lionel Litty, chief security architect at Menlo Security, added that there are mechanisms to mitigate the impact of this type of stored XSS vulnerability, namely the Content Security Policy header. Unfortunately, Litty said too few web servers have this deployed and even the ones that do often have a policy that is too lax to be effective.
“This is a good reminder to examine the sensitive web applications you are using to see if they have adequate hardening in place,” said Litty. “If they don’t, ask your vendor about it.”
Critical Start’s Neel recommended the following remediation steps for security pros to consider:
SC Staff
Both authenticated and unauthenticated users could leverage the vulnerability, which affects FileCatalyst Workflow versions 5.1.6 Build 135 and earlier.
SC Staff
Fifty-two percent of 172 widely deployed critical open-source projects had memory-unsafe code or were not written in programming languages that curb memory-related errors.
SC Staff
Intrusions with Snowblind involved the injection of a seccomp filter to intercept system calls, as well as a SIGSYS signal handler to direct anti-tampering code to unchanged APK versions allowing the deactivation of several app security features.
On-Demand Event
On-Demand Event
By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.
Copyright © 2024 CyberRisk Alliance, LLC All Rights Reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorization.
Your use of this website constitutes acceptance of CyberRisk Alliance Privacy Policy and Terms & Conditions.