Popular WordPress Plugins Leave Millions Open to Backdoor Attacks

Fastly researchers discover unauthenticated stored XSS attacks plaguing WordPress Plugins including WP Meta SEO, and the popular WP Statistics and LiteSpeed! Learn how these attacks work, the impact they have, and how to fortify your site with a multi-layered defence.

WordPress, the globally used content management system (CMS) powering millions of websites, is being abused in attacks exploiting unauthenticated stored Cross-Site Scripting (XSS) vulnerabilities, warns cloud security provider Fastly. The company discovered active exploitation attempts targeting three high-severity vulnerabilities in popular WordPress plugins.

According to Fastly’s blog post, attackers are injecting malicious scripts and backdoors into websites to create new admin accounts, inject PHP backdoors in plugin and theme files, and set up tracking scripts to monitor infected targets. The malicious payloads were referenced in five domains and with two additional tracking-based domains previously associated with WordPress plugin exploitation.

Vulnerable plugins include WP Meta SEO, and the popular WP Statistics and LiteSpeed Cache plugins, boasting over 600,000 and 5 million active installations respectively, were found vulnerable to attacks, with malicious payloads injected via URL search parameters and scripts disguised as admin notifications, potentially leading to widespread compromise.

For your information, Unauthenticated Stored XSS is a malicious script, which when injected on a WordPress site allows unauthorized access to sensitive information like cookies and session tokens.

****Vulnerability Details****

CVE-2023-6961, discovered by CERT PL researcher Krzysztof Zając in April 2024, exposes a vulnerability in the WP Meta SEO plugin, which can be exploited by attackers by sending a payload to a target site, generating a 404 response, and inserting an unsanitized header into the database.

CVE-2024-2194, discovered by Tim Coen in March 2024, allows unauthenticated attackers to inject web scripts into the WP Statistics plugin versions 14.5 and earlier when a user accesses the injected page. Versions lower than 14.5 remain active on 48% of all websites using the plugin.

CVE-2023-40000, discovered by Patchstack in February 2024, exposes a stored cross-site scripting vulnerability in the LiteSpeed Cache plugin, triggering an XSS vulnerability when an admin accesses a backend page disguised as an admin notification.

WordPress plugins rely on user-generated content, which can be vulnerable to malicious scripts if not properly validated and sanitized. Any exploitation can lead to severe consequences, including session hijacking, data theft, malware distribution, and website defacement.

To safeguard your WordPress site from unauthenticated stored XSS attacks update your core, plugins and themes regularly, prioritize input validation and sanitization, regularly scan your site for vulnerabilities, implement a Web Application Firewall (WAF), and use strong passwords and Multi-Factor Authentication (MFA).

Adam Neel, Threat Detection Engineer at Critical Start commented on the issue and told Hackread.com, “These WordPress vulnerabilities allow attackers to steal admin credentials via cross-site scripting (XSS) and WordPress admins have capabilities that you would not want in the hands of an attacker such as removing other users, deleting pages, and being able to see all backend content,“ he warned.

“This is a wealth of information and power for attackers to have, so website administrators must update the vulnerable plugins. Ensure all WordPress plugins are updated to the latest versions, particularly WP Statistics, WP Meta SEO, and LiteSpeed Cache,” Adam advised.

1. 5 Best CAPTCHA Plugins for WordPress Websites
2. WordPress Websites Hacked with New Sign1 Malware
3. WordPress Websites Being Hacked with Balada Malware
4. FakeUpdates Malware Targets Millions of WordPress Sites
5. Zero-Day Exploit Threatens 200,000 WordPress Websites