Posted on May 13, 2023 at 8:55 AM
Hackers target WordPress plugin vulnerability after PoC exploit was released
Threat actors have been actively exploiting a vulnerability that was patched recently. The flaw existed within the WordPress Advanced Custom Fields plugin. The flaw was exploited around 24 hours after a proof-of-concept (PoC) exploit was released to the public. Threat actors appear to have swiftly exploited the flaw before a patch could be released.
Microsoft target WordPress plugin flaw
The vulnerability in question is being tracked as CVE-2023-30777. The high-severity flaw has been labeled as a reflected cross-site scripting (XSS) vulnerability that allowed unauthorized hackers to steal sensitive information from hackers as they also escalated the privileges that exist within WordPress websites.
The vulnerability in question was detected by Patchstack, a website security company. The flaw was detected on May 2, 2023, and it was reported alongside a proof-of-concept exploit that was done on May 5. The exploit happened after the plugin vendor released a security update by releasing a new version 6.1.6.
The Akamai Security Intelligence Group (SIG) issued a report saying that they had detected the vulnerability being exploited by hackers. The cybersecurity company said that the exploit appeared to have started on May 6, 2023. The researchers detected a considerable amount of scanning and exploitation behavior through a sample code that was provided within the Patchstack write-up.
The Akamai report also said that the Akamai SIG had analyzed the XSS attack data, and it had identified that the exploits commenced within 24 hours of the exploit PoC being made public. The report further said that one of the peculiar things about the query is that the hacker copied and used a Patchstack sample code that was secured from the write-up.
“The activity spanned all verticals without distinction. This breadth of activity and the complete lack of effort to create a new exploit code tells us the threat actor is not sophisticated. The actor was scanning for vulnerable sites and attempting to exploit an easy target,” the Akamai report said.
The vulnerability has a massive reach, which increases the possibility of the threat actor having caused massive havoc. More than 1.4 million websites use the compromised WordPress plugin, and they are yet to upgrade to the latest version. The statistics on the wordpress.org platform show that the threat actors have a massive attack surface that they can explore and cause havoc.
The XSS vulnerability
The XSS vulnerability requires that a logged-in user be logged in to the site for the threat actor to gain access. The user with access to the plugin will run malicious code on their browser. The code will allow the threat actors to obtain high-privileged access to this platform.
The malicious scans that have been conducted by the threat actors also show that the mitigation factor does not deter malicious activity. The hackers behind the exploit appear confident that they can avoid detection by the security systems put in place through tricks and social engineering.
This exploit works on the default configurations of the affected plugin versions. The exploitation increases the possibility of success by the threat actors without forcing them to make more effort on their end to sustain their activities.
The administrators of the WordPress site have said that those that are using the vulnerable WordPress plugins need to apply the available patch immediately to ensure that their devices are not compromised. Issuing a patch for the flaw will ensure that a user will be protected from the ongoing activity that involves scanning and exploitation.
The recommendation issued by the company is to install upgrades for the “Advanced Custom Fields” free and pro plugins to version 5.12.6 that was backported. It also involved version 6.1.6.
This is not the first WordPress plugin that has been exploited by threat actors. Hackers have been actively exploiting a high-severity vulnerability within the leading Elementor Pro WordPress plugin to install backdoors on websites.
Elementor Pro is a WordPress page builder plugin. The plugin allows users to create professional-looking websites easily without understanding the advanced techniques used by hackers, such as understanding how to code, featuring drag and drop, building a theme, a template collection, supporting a custom widget, and having a WooCommerce builder for online shops.
The flaw in question was detected by a researcher at NinTechNet, Jerome Bruandet. The researcher detected the flaw on March 18, 2023, and shared technical details on how the vulnerability can be exploited when it was installed alongside WooCommerce. The issue affects v3.11.6 and the previous versions. It allowed the customers and site members to alter site settings and close the site takeover.