Security researchers warn of actively exploited high severity vulnerabilities in multiple WordPress plugins, allowing threat actors to create rogue admin accounts and conduct subsequent attacks. Researchers Simran Khalsa, Xavier Stevens, and Matthew Mathur note that these vulnerabilities, due to inadequate input sanitization and output escaping, are susceptible to unauthenticated stored cross-site scripting (XSS) attacks, enabling attackers to inject malicious scripts.
The implicated security vulnerabilities include:
CVE-2023-6961 (CVSS score: 7.2): Unauthenticated stored XSS in WP Meta SEO (<= 4.5.12)
CVE-2023-40000 (CVSS score: 8.3): Unauthenticated stored XSS in LiteSpeed Cache (<= 5.7)
CVE-2024-2194 (CVSS score: 7.2): Unauthenticated stored XSS in WP Statistics (<= 14.5)
The attack chain involves injecting payloads pointing to obfuscated JavaScript files hosted on external domains, responsible for creating new admin accounts, inserting backdoors, and setting up tracking scripts. PHP backdoors are injected into plugin and theme files, while tracking scripts aim to send HTTP GET requests containing HTTP host information to a remote server (“ur.mystiqueapi[.]com/?ur”).
Fastly detects a significant volume of attack attempts originating from IP addresses associated with the autonomous system (AS) IP Volume Ltd (AS202425), with the majority originating from the Netherlands. Notably, WordPress security company WPScan previously disclosed similar attacks targeting CVE-2023-40000, used to create rogue admin accounts on vulnerable websites.
To mitigate the risks posed by such attacks, WordPress site owners are advised to review their installed plugins, apply the latest updates, and audit their websites for signs of malware or the presence of suspicious administrator users.