Huge increases in XSS flaw attacks on WordPress websites have been noted over the last week – up 30x. It also mostly, it appears, comes from a sole player.
Security researchers have been closely following a big up-surge in attacks that are now targeting Cross-Site Scripting (XSS) vulnerabilities. This started late in April before zooming up to almost 30x times normal the level of such attacks that are usually seen.
In details recently revealed by a blog post from researchers at Wordfence, the majority of these attacks have emanated from a single source, based on the payload they are attempting to inject – a ‘maliciohaveus’ JavaScript that works by misdirecting viewers, & uses an administrator’s session to put a ‘backdoor’ into the theme’s header.
XSS payload
Further it was found that the cyber-criminals were additionally attacking some other vulnerabilities, usually older vulnerabilities which allows them to change a site’s home URL to the exact same domain used in the XSS payload to redirect visitors to so-called ‘malvertising’ sites.
“While our records show that this threat actor may have sent out a smaller volume of attacks in the past, it’s only in the past few days that they’ve truly ramped-up, to the point where more than 20 million attacks were attempted against more than half a million individual sites on May 3, 2020,” outlined Ram Gall, Senior QA at Defiant.
IP addresses
“Over the course of the past month in total, we’ve detected over 24,000 distinct IP addresses sending requests matching these attacks to over 900,000 sites,” he further explained.
Numbers of vulnerable plugins have been targeted in these attacks.
These include Easy2Map, Blog Designer, WP GDPR Compliance, & a defect in the Newspaper theme which was patched in 2016.
Plugins
Gall advised that the best thing that admins could do was to keep plugins well up to date, & also to deactivate & delete any plugins that have been removed from the WordPress plugin repository.
“The vast majority of these attacks are targeted at vulnerabilities that were patched months or years ago, and in plugins that don’t have a large number of users,” he reasoned.
Martin Jartelius, CSO at Outpost24, observed that WordPress comes with an ‘automatic update feature’ – “depending on your preferred risk, you can opt to use this & be kept safe from most attacks that follow a security fix, but this choice comes with the potential impact of a possible downtime should parts of your site not be compatible with an update”.
“For most organisations, using the automatic update feature is advised, and using something else than WordPress may be advisable for sites where the potential downtime is not acceptable. In this specific case, any organisation who applied automatic security fixes were patched well in advance of any wider exploitation,” he further went on to say.
Target
Stuart Sharp, VP of Solution Engineering at OneLogin, added the analysis that considering that more than 75 million sites use WordPress, its really not surprising that it is a number one target for those hackers that are searching out for vulnerabilities.
Malicious Code
“At the moment, bad actors are targeting sites to exploit a vulnerability that allows them to create backdoor admin accounts or inject malicious code inside the theme’s settings.
For organisations running multiple WordPress sites, they should prioritise work based on a risk assessment of the services offered by each exposed website, e.g. payment processing, authentication credentials and PII data. Keeping on top of security alerts and taking timely action in response to published vulnerabilities is vital,” he concluded.