Large-scale attacks leave nearly a million WordPress websites at risk

News by Rene Millman

Massive growth in XSS flaw attacks on WordPress websites over past week - up 30 times - mostly from a single threat actor.

Security researchers have been tracking a surge in attacks targeting Cross-Site Scripting(XSS) vulnerabilities that began late April before ramping up to nearly 30 times the normal amount of such attacks usually witnessed.

According to a blog post by researchers at Wordfence, most of the attacks appear to be caused by a single threat actor, based on the payload they are attempting to inject – a malicious JavaScript that redirects visitors and takes advantage of an administrator’s session to insert a backdoor into the theme’s header.

Researchers investigated further and found that the cybercriminals were also attacking other vulnerabilities, primarily older vulnerabilities allowing them to change a site’s home URL to the same domain used in the XSS payload to redirect visitors to malvertising sites.

“While our records show that this threat actor may have sent out a smaller volume of attacks in the past, it’s only in the past few days that they’ve truly ramped up, to the point where more than 20 million attacks were attempted against more than half a million individual sites on 3 May, 2020,” said Ram Gall, senior QA at Defiant

“Over the course of the past month in total, we’ve detected over 24,000 distinct IP addresses sending requests matching these attacks to over 900,000 sites,” he said.

Many flawed plugins have been targeted in the attacks, including Easy2MapBlog Designer, WP GDPR Compliance, and a flaw in the Newspaper theme which was patched in 2016.

Gall said that the most important thing that admins could do is to keep plugins up to date and to deactivate and delete any plugins that have been removed from the WordPress plugin repository.

“The vast majority of these attacks are targeted at vulnerabilities that were patched months or years ago, and in plugins that don’t have a large number of users,” he said.

Martin Jartelius, CSO at Outpost24, told SC Media UK that WordPress comes with an automatic update feature – “depending on your preferred risk you can opt to use this and be kept safe from most attacks that follow a security fix, but this choice comes with the potential impact of a possible downtime should parts of your site not be compatible with an update”.

“For most organisations, using the automatic update feature is advised, and using something else than WordPress may be advisable for sites where the potential downtime is not acceptable. In this specific case, any organisation who applied automatic security fixes were patched well in advance of any wider exploitation,” he said.

Stuart Sharp, VP of solution engineering at OneLogin, told SC Media UK that considering that more than 75 million sites use WordPress, it’s not surprising that it’s a prime target for hackers searching out vulnerabilities.

“At the moment, bad actors are targeting sites to exploit a vulnerability that allows them to create backdoor admin accounts or inject malicious code inside the theme’s settings. For organisations running multiple WordPress sites, they should prioritise work based on a risk assessment of the services offered by each exposed website, eg payment processing, authentication credentials and PII data. Keeping on top of security alerts and taking timely action in response to published vulnerabilities is vital,” he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews