Posted on May 27, 2023 at 9:24 AM

Hackers exploit XSS flaw in a WordPress cookie consent plugin

Hackers have been launching ongoing attacks targeting WordPress sites. These attacks have been targeted at an unauthenticated stored cross-site scripting (XSS) vulnerability within a WordPress cookie consent plugin known as Beautiful Cookie Consent Banner. The plugin has over 40,000 active installs.

Hackers use cookie consent plugin exploits to conduct attacks

The malicious actors behind these attacks targeted an XSS vulnerability. When hackers launch an attack using an XSS vulnerability, it installs malicious JavaScript scripts within the vulnerable websites. These malicious scripts will be injected into vulnerable websites, where they will then be executed within the web browsers of the site visitors.

The exploitation of these vulnerabilities can cause significant damage to the targeted devices. The impact caused by these attacks could include malicious actors having unauthorized access to sensitive information. They could also hijack online sessions and trigger malware infections through redirects to malicious sites.

One of the major effects of an exploit on an XSS vulnerability is that it could entirely compromise the system of the targeted device. The attacks in question were spotted by a WordPress security company known as Defiant.

The report by Defiant said that the vulnerability allows a malicious actor to generate fake admin accounts on WordPress websites that are using unpatched plugin versions, including 2,10.1, and all the updated versions.

The security vulnerability that was exploited in this malicious campaign was fixed in January following the release of an updated version 2.10.2. Ram Gall, who is a threat analyst, said that the company records showed that the flaw had been actively exploited since February 5, 2023. However, the latest attack was the largest attack that has ever been recorded against the flaw.

“According to our records, the vulnerability has been actively attacked since February 5, 2023, but this is the largest attack against it that we have seen,” Gall said. “We have blocked nearly 3 million attacks against more than 1.5 million sites from nearly 14,000 IP addresses since May 23, 2023, and attacks are ongoing.”

The ongoing attack campaign is of a large-scale nature. According to Gall, the threat actor behind this campaign relies on a misconfigured exploit that would usually not deploy a single payload even when it is targeting a WordPress site that is using a plugin version that is vulnerable to exploits.

Website owners and admins urged to update to the latest version

The owners of websites that rely on the Beautiful Cookie Consent Banner plugin have been urged to update it to the latest version. The admins said that in case there is a failed attack, it could corrupt the configuration of the plugin that has been stored within the nsc_bar_bannersettings_json option.

The developer has already released an update to solve the matter at hand. The patched versions of the plugin have been updated so that the issue can remedy itself in case that particular website has been targeted in the ongoing exploits.

The current wave of attacks that are currently being witnessed on WordPress sites might not be capable of installing a malicious payload on websites. The threat actor behind this malicious campaign could address the issue at any time, and it could cause potential harm to the websites that are still exposed.

WordPress sites have, for the longest time, been vulnerable to hacking attacks. Last week, threat actors started showing interest in some WordPress websites that use the vulnerable versions of the WordPress Advanced Custom Field and Essential Addons for Elementor plugins that are vulnerable to being exploited.

In the case of the Essential Addons for Elementor plugin versions on multiple WordPress websites in a variety of internet scans. The hackers in question are exploiting a flaw in the account password reset that was revealed earlier.

The critical-severity vulnerability has been tracked as CVE-2023-32243, and it affects the Essential Addons for Elementor versions 5.4.0 to 5.7.1, which allowed hackers to reset the passwords of administrator accounts and take control of the websites.

Hackers also exploited a fixed flaw in the WordPress Advanced Custom Fields plugin around 24 hours after a proof-of-concept exploit was revealed publicly. The vulnerability is tracked as CVE-2023-30777, and it allows attackers to steal sensitive information to boost their privileges on the affected WordPress sites.

This vulnerability affected more than a million websites and was detected earlier this year. The vendor fixed the flaw by releasing a security update. The hacking campaigns on the two WordPress sites started after proof-of-concept (PoC) exploits were released to allow attackers to gain unauthorized access to websites after resetting administrative passwords and having privileged access.