Fastly reports WordPress plugina exploited to inject malware and backdoors

Fastly has issued a warning about ongoing exploitation of vulnerabilities in three popular WordPress plugins, which are being used to inject malicious scripts and backdoors into websites.

The flaws in the plugins allow attackers to perform unauthenticated stored cross-site scripting (XSS) attacks, enabling the creation of new WordPress administrator accounts, the injection of PHP backdoors into plugin and theme files, and the installation of tracking scripts to monitor compromised targets.

Affected Plugins and Vulnerabilities:

1. WP Statistics Plugin, CVE-2024-2194. This bug allows attackers to inject scripts via the URL search parameter, which are executed whenever a user accesses an injected page. Attackers use the 'utm_id' parameter to ensure the payload appears on highly visited pages. Affected Versions are 14.5 and earlier.

2. WP Meta SEO Plugin, CVE-2023-6961. Attackers exploit this flaw to inject payloads into pages generating a 404 response. When these pages are loaded in an administrator's browser, the script retrieves obfuscated JavaScript code from a remote server. If the administrator is authenticated, the payload can steal their credentials. Affected Versions are 4.5.12 and earlier.

3. LiteSpeed Cache Plugin, CVE-2023-40000. The XSS payload is disguised as an admin notification. When an administrator accesses a backend page, the script executes using their credentials, enabling further malicious actions. Affected Versions are 5.7.0.1 and earlier

Exploitation Details reported by Fastly: Many exploitation attempts have been traced to IPs associated with the Autonomous System (AS) IP Volume Inc. Fastly has identified five domains referenced in the malicious payloads and two additional domains used for tracking. At least one of these domains has been previously linked to the exploitation of vulnerable WordPress plugins.

Administrators are advised to update their plugins to the latest versions immediately.