skip to Main Content

WordPress, mass cybercrime scan to find XSS flaws

Wordfence: Cybercrime has initiated mass scans for WordPress XSS vulnerabilities. It seems to be the work of a single malicious actor, who uses JavaScript code to inoculate a backdoor

Cybercrime is targeting WordPress for cross-site scripting (XSS) vulnerabilities in plugins. Wordfence cyber security experts report it, warning that a massive scan activity has started since April 28 to find these flaws on the sites of the blogging platform. The culprit appears to be a single malevolent actor, who tries to inoculate malicious JavaScript (JS) code. This is to take advantage of sessions with administrator privileges and insert a malware, a backdoor, in the theme header. The attacker also tries to identify other vulnerabilities to change the URL of the target site’s homepage and divert visitors to malvertising sites. From the analyzes carried out so far, however, cyber attacks are large-scale. So much so that nearly a million WordPress sites and around 24,000 distinct IP addresses have been targeted.

Cyber ​​security experts draw an overview of the holes exploited to spread malware and redirect visitors to malvertising sites

According to the Wordfence cyber security experts, the XSS vulnerabilities most attacked by cybercrime are: in Easy2Map plugin, although installed in less than 3,000 sites, it seems to be more used (in about half of cybercrime attacks); in Blog Designer (more or less 1,000 vulnerable installations); one on the theme Newspaper, already used in the past, and the last two related to the options for the update in the WP GDPR Compliance and Total Donations. The first, although adopted over 100,000 times, has a low vulnerability rate (less than 5,000 installations). In the second they are still minor (about 1,000). Objective: to install JavaScript on a WordPress site, to be run by an administrator. If he’s not logged in and not on the login page, visitors are redirected to a malvertising page. If he is, the script tries to inoculate the malware (backdoor), from which another payload will be downloaded.

Back To Top