Hackers are reportedly using an Unauthenticated Stored Cross-Site Scripting (XSS) flaw in a WordPress plugin to target thousands of websites, experts have warned.
Cybercriminals can use XSS for a number of things, from stealing sensitive data and sessions, to complete takeover of the vulnerable website. In this particular case, threat actors can create admin accounts, which is enough privilege to completely take over the website.
Millions of affected sites
Beautiful Cookie’s creators recently released a patch for the flaw, so if you’re using the plugin, make sure it’s updated to version 2.10.2.
“According to our records, the vulnerability has been actively attacked since February 5, 2023, but this is the largest attack against it that we have seen,” Defiant’s Ram Gall said. “We have blocked nearly 3 million attacks against more than 1.5 million sites, from nearly 14,000 IP addresses since May 23, 2023, and attacks are ongoing.”
The silver lining in the news is that the attackers’ exploit seems to be misconfigured in a way that it’s unlikely to deploy a payload, even if it targets a website running an old and vulnerable version of the plugin. Still, the researchers urge webmasters and owners to apply the patch, as even a failed attempt can corrupt the plugin’s configuration.
The patch sorts this problem out as well, as the plugin is capable of repairing itself.
What’s more, as soon as the hacker realizes their mistake, they can quickly address it and potentially infect the sites that haven’t been patched yet.