Wordfence announced that there is an uptick in attacks targetting cross-site scripting (XSS) vulnerabilities.
Wordfence team announced that over 900,000 WordPress sites are under attack, approximately 30 times the normal volume. The attacks, targetting the XSS vulnerabilities began on April 28 and increased on the following days.
Malicious JavaScript
Most of these attacks are attempting to inject a malicious JavaScript that redirects visitors and then takes advantage of an administrator’s session to insert a backdoor into the theme’s header. The investigation also reveals that attacks are also targetting older vulnerabilities, such as changing a site’s home URL to the same domain used in the XSS payload in order to redirect visitors.
The targets are listed below:
- An XSS vulnerability in the Easy2Map plugin, which was removed from the WordPress plugin repository in August of 2019, and which we estimate is likely installed on less than 3,000 sites. This accounted for more than half of all of the attacks.
- An XSS vulnerability in Blog Designer which was patched in 2019. We estimate that no more than 1,000 vulnerable installations remain, though this vulnerability was the target of previous campaigns.
- An options update vulnerability in WP GDPR Compliance patched in late 2018 which would allow attackers to change the site’s home URL in addition to other options. Although this plugin has more than 100,000 installations, we estimate that no more than 5,000 vulnerable installations remain.
- An options update vulnerability in Total Donations which would allow attackers to change the site’s home URL. This plugin was removed permanently from the Envato Marketplace in early 2019, and we estimate that less than 1,000 total installations remain.
- An XSS vulnerability in the Newspaper theme which was patched in 2016. This vulnerability has also been targeted in the past.
Wordfence also urged users to update the plugins they are using and deactivating and deleting plugins that have been removed from the WordPress plugin repository. The company also noted that during April, they have detected over 24,000 distinct IP addresses sending requests matching these attacks to over 900,000 sites.