Ongoing XSS Attacks Targeting WordPress
Ongoing XSS Attacks Targeting WordPress

An ongoing series of attacks is currently targeting a vulnerability known as Unauthenticated Stored Cross-Site Scripting (XSS) in a popular WordPress cookie consent plugin called Beautiful Cookie Consent Banner. This plugin has amassed over 40,000 active installations, making it an attractive target for malicious actors.

Exploiting XSS Vulnerability

In XSS attacks, threat actors inject malicious JavaScript scripts into vulnerable websites, which then execute within the web browsers of unsuspecting visitors. The impact of such attacks can be severe, ranging from unauthorized access to sensitive information and session hijacking to malware infections via redirects to malicious websites or even complete compromise of the targeted system.

Discovery of Attacks and Patched Versions

Defiant, a reputable WordPress security company, discovered these attacks and revealed that the identified vulnerability allows unauthenticated attackers to create unauthorized admin accounts on WordPress websites that are running outdated versions of the Beautiful Cookie Consent Banner plugin (versions up to and including 2.10.1). Fortunately, this security flaw was addressed and patched in January with the release of version 2.10.2.

Scope and Impact of XSS Attacks

According to threat analyst Ram Gall from Defiant, this ongoing attack campaign has been active since February 5, 2023. However, the current attack wave is the largest and most concerning that they have encountered so far. Defiant has effectively blocked nearly 3 million attacks originating from nearly 14,000 IP addresses, targeting over 1.5 million sites since May 23, 2023.

Protecting Against Attacks – XSS Vulnerabilities

Despite the large-scale nature of these XSS attacks, Gall explains that the threat actor behind them is utilizing a misconfigured exploit. As a result, it is unlikely that a payload will get deployment. Even when targeting a WordPress site with a vulnerable version of the plugin. Nevertheless, website administrators and owners who are using the Beautiful Cookie Consent Banner plugin. It is strongly advisable to update it to the latest patched version. Even failed attacks have the potential to corrupt the plugin’s configuration stored in the nsc_bar_bannersettings_json option.

Furthermore, the patched versions of the plugin have been updated to include self-repair mechanisms. This means that in the event of an attack targeting a website, the plugin will be able to repair itself and restore its functionality.

Potential Risks and Other Vulnerabilities

While the current wave of attacks may not be capable of injecting websites with a malicious payload, it is important to note that the threat actor behind this campaign could address this issue at any time. This could potentially result in the infection of any websites that remain exposed to the vulnerability.

Recently, threat actors have also begun scanning the internet for WordPress websites running vulnerable versions of the Essential Addons for Elementor and WordPress Advanced Custom Fields plugins. These campaigns emerged shortly after the release of proof-of-concept (PoC) exploits, which provide unauthenticated attackers with the ability to hijack websites by resetting admin passwords and gaining privileged access, respectively.

Ensuring Website Security

To safeguard WordPress websites, it is crucial for administrators to stay vigilant, promptly update all plugins and core software to their latest versions, and implement strong security measures to mitigate the risk of falling victim to such attacks.