Up to 1.5 million WordPress sites could be hit by this security flaw – so patch up now

Hackers are reportedly utilizing an Unauthenticated Saved Cross-Web site Scripting (XSS) flaw in a WordPress plugin to focus on 1000’s of internet sites, specialists have warned.

Cybersecurity researchers from Defiant found the flaw in Stunning Cookie Consent Banner, a WP cookie consent plugin with greater than 40,000 lively installations. The attackers might use the vulnerability so as to add malicious JavaScripts into the compromised web sites, which might then be executed within the guests’ browsers. 

Cybercriminals can use XSS for various issues, from stealing delicate information and periods, to finish takeover of the susceptible web site. On this specific case, risk actors can create admin accounts, which is sufficient privilege to fully take over the web site. 

Tens of millions of affected websites

Stunning Cookie’s creators just lately launched a patch for the flaw, so for those who’re utilizing the plugin, make certain it’s up to date to model 2.10.2.

“In keeping with our data, the vulnerability has been actively attacked since February 5, 2023, however that is the biggest assault towards it that now we have seen,” Defiant’s Ram Gall stated. “We’ve got blocked almost 3 million assaults towards greater than 1.5 million websites, from almost 14,000 IP addresses since Could 23, 2023, and assaults are ongoing.”

The silver lining within the information is that the attackers’ exploit appears to be misconfigured in a approach that it’s unlikely to deploy a payload, even when it targets an internet site working an outdated and susceptible model of the plugin. Nonetheless, the researchers urge site owners and house owners to use the patch, as even a failed try can corrupt the plugin’s configuration. 

The patch kinds this downside out as effectively, because the plugin is able to repairing itself. 

What’s extra, as quickly because the hacker realizes their mistake, they will shortly deal with it and doubtlessly infect the websites that haven’t been patched but.

By way of: BleepingComputer


Leave a Reply

Your email address will not be published. Required fields are marked *