May 30, 2024 at 11:16AM
Fastly warns of ongoing exploitation of vulnerabilities in three WordPress plugins, enabling the injection of malicious scripts and backdoors. These flaws permit unauthenticated stored cross-site scripting attacks, creation of new administrator accounts, and stealing of credentials. Impacting over 600,000 installations, the campaign is emanating from IPs linked to AS IP Volume Inc.
From the meeting notes, the key takeaways are:
1. Vulnerabilities in three WordPress plugins, WP Statistics, WP Meta SEO, and LiteSpeed Cache, are being exploited to inject malicious scripts and backdoors into websites.
2. Fastly has warned that the vulnerabilities can be exploited to execute unauthenticated stored cross-site scripting (XSS) attacks, allowing attackers to create new administrator accounts, inject PHP backdoors, and set up tracking scripts to monitor infected targets.
3. The exploitation attempts have been traced back to IPs associated with the Autonomous System (AS) IP Volume Inc.
4. The specific vulnerabilities and impacts:
– WP Statistics plugin (600,000+ active installations) – CVE-2024-2194: Allows attackers to inject scripts via the URL search parameter.
– WP Meta SEO plugin (20,000+ active installations) – CVE-2023-6961: Used to inject a payload into pages generating a 404 response to steal administrator credentials.
– LiteSpeed Cache plugin (5 million+ active installations) – CVE-2023-40000: XSS payload disguised as an admin notification is exploited to execute malicious actions using administrator credentials.
5. Fastly has identified five domains being referenced in the malicious payloads, along with two additional domains used for tracking. At least one of these domains was previously associated with the exploitation of vulnerable WordPress plugins.
Please let me know if there’s anything specific you need me to focus on or any additional details you require.