Hackers are reportedly utilizing an Unauthenticated Saved Cross-Website Scripting (XSS) flaw in a WordPress plugin to focus on hundreds of internet sites, specialists have warned.
Cybersecurity researchers from Defiant found the flaw in Lovely Cookie Consent Banner, a WP cookie consent plugin with greater than 40,000 energetic installations. The attackers may use the vulnerability so as to add malicious JavaScripts into the compromised web sites, which might then be executed within the guests’ browsers.
Cybercriminals can use XSS for a variety of issues, from stealing delicate information and classes, to finish takeover of the susceptible web site. On this specific case, risk actors can create admin accounts, which is sufficient privilege to utterly take over the web site.
Tens of millions of affected websites
Lovely Cookie’s creators just lately launched a patch for the flaw, so in the event you’re utilizing the plugin, be certain that it’s up to date to model 2.10.2.
“In response to our data, the vulnerability has been actively attacked since February 5, 2023, however that is the most important assault towards it that we’ve seen,” Defiant’s Ram Gall mentioned. “We’ve got blocked practically 3 million assaults towards greater than 1.5 million websites, from practically 14,000 IP addresses since Might 23, 2023, and assaults are ongoing.”
The silver lining within the information is that the attackers’ exploit appears to be misconfigured in a means that it’s unlikely to deploy a payload, even when it targets a web site operating an outdated and susceptible model of the plugin. Nonetheless, the researchers urge site owners and house owners to use the patch, as even a failed try can corrupt the plugin’s configuration.
The patch types this downside out as effectively, because the plugin is able to repairing itself.
What’s extra, as quickly because the hacker realizes their mistake, they will shortly deal with it and doubtlessly infect the websites that haven’t been patched but.
By way of: BleepingComputer