Cybersecurity researchers have uncovered active exploitation of severe security vulnerabilities in WordPress plugins, facilitating the creation of unauthorized administrator accounts by malicious actors. Identified flaws in plugins like WP Meta SEO, LiteSpeed Cache, and WP Statistics have left websites vulnerable to unauthenticated stored cross-site scripting attacks due to insufficient input sanitization. Attackers utilize injected payloads, often pointing to obfuscated JavaScript files hosted externally, to execute unauthorized actions such as creating new admin accounts, inserting backdoors, and deploying tracking scripts.
The attack chain typically involves the injection of PHP backdoors into plugin and theme files, along with the deployment of tracking scripts designed to transmit HTTP GET requests containing host information to remote servers. Notably, a significant portion of exploitation attempts originates from IP addresses linked to the Autonomous System (AS) IP Volume Inc., with notable activity observed in the Netherlands. WPScan had previously disclosed similar attack campaigns targeting vulnerabilities like CVE-2023-40000, emphasizing the prevalence of such threats in the WordPress ecosystem.
To safeguard against these risks, WordPress site owners are urged to conduct thorough reviews of installed plugins, promptly apply available updates, and conduct comprehensive audits to detect any signs of malware or unauthorized administrator users. Proactive measures are crucial for mitigating the potential impact of these vulnerabilities and enhancing the overall security posture of WordPress websites.
