Hackers are reportedly utilizing an Unauthenticated Saved Cross-Website Scripting (XSS) flaw in a WordPress plugin to focus on hundreds of internet sites, specialists have warned.
Cybercriminals can use XSS for quite a few issues, from stealing delicate knowledge and periods, to finish takeover of the susceptible web site. On this specific case, risk actors can create admin accounts, which is sufficient privilege to utterly take over the web site.
Tens of millions of affected websites
Stunning Cookie’s creators just lately launched a patch for the flaw, so in case you’re utilizing the plugin, ensure that it’s up to date to model 2.10.2.
“According to our records, the vulnerability has been actively attacked since February 5, 2023, but this is the largest attack against it that we have seen,” Defiant’s Ram Gall mentioned. “We have blocked nearly 3 million attacks against more than 1.5 million sites, from nearly 14,000 IP addresses since May 23, 2023, and attacks are ongoing.”
The silver lining within the information is that the attackers’ exploit appears to be misconfigured in a method that it’s unlikely to deploy a payload, even when it targets a web site working an previous and susceptible model of the plugin. Nonetheless, the researchers urge site owners and house owners to use the patch, as even a failed try can corrupt the plugin’s configuration.
The patch kinds this drawback out as properly, because the plugin is able to repairing itself.
What’s extra, as quickly because the hacker realizes their mistake, they will rapidly handle it and doubtlessly infect the websites that haven’t been patched but.
By way of: BleepingComputer