Hackers utilising XSS vulnerabilities to attack 900,000 WordPress sites

Hackers are utilising a cross-site scripting vulnerability to inject a redirect into more than 900,000 WordPress sites.

WordFence Threat Intelligence Team, the cyber security experts who discovered the breach, noted that the number of XSS attacks is on the rise.

Since 28th April, the occurrence rate of these attacks is about 30 times more frequently than normal.

In fact, 500,000 such attacks were attempted on 3rd May alone.

Based on the fact that every attack carries the same payload, the team believes that a single malicious actor is the culprit behind the attacks.

The payload comes in the form of a malicious JavaScript that inserts a backdoor into the header of the WordPress theme through an admin session.

Ameet Naik, a cyber security expert at PerimeterX, pointed out that an XSS attack has the potential to cause greater mayhem than mere redirects.

In fact, attackers exploiting such XSS vulnerabilities can spread malware, hijack user sessions and steal data.

In the past, these techniques have been used on e-commerce websites running Magecart, resulting in the theft of millions of credit card numbers.

Although WordPress is no stranger to targeted plugin attacks, no attack in its entire history has ever reached such massive proportions until now.

The team noticed 24,000 distinct IP addresses that were sending these malicious requests during the course of last month.

In total, five WordPress plugins appear to be targeted by these attacks, some of which are no longer maintained despite their popularity.

An example of these is Easy2Map, a plugin that was removed from the official WordPress repository in August 2019 due to an XSS vulnerability.

About 50% of the current attacks are targeting this exact plugin.

Another example is Total Donations, which contains an options update vulnerability.

Consequently, Envato Marketplace decided to remove it in early 2019.