Active exploitation of stored XSS vulnerabilities in WordPress Plugins
May 31, 2024, 12:36 p.m.
Tags
External References
Description
Recent months have witnessed active exploitation attempts targeting multiple cross-site scripting (XSS) vulnerabilities in popular WordPress plugins. The attacks involve injecting malicious scripts that create new admin accounts, install backdoors, and implement tracking mechanisms. The affected plugins include WP Statistics, WP Meta SEO, and LiteSpeed Cache, with exploitation observed from IP addresses linked to entities like IP Volume Inc. and Telkom Internet LTD, primarily concentrated in the Netherlands.
Date
Published: May 31, 2024, 12:23 p.m.
Created: May 31, 2024, 12:23 p.m.
Modified: May 31, 2024, 12:36 p.m.
Indicators
94.242.61.217
94.102.51.95
91.223.82.150
80.82.78.133
80.82.76.214
185.7.33.129
185.247.226.37
185.209.162.247
185.165.169.62
185.159.82.103
179.43.172.148
185.100.87.144
111.90.150.154
111.90.150.123
103.155.93.244
103.155.93.120
101.99.75.215
101.99.75.178
185.162.130.23
31.43.191.220
94.102.51.144
admim@mystiqueapi.com
ur.mystiqueapi.com
media.cdnstaticjs.com
idc.cloudiync.com
go.kcloudinc.com
cloud.cdndynamic.com
cdn.mediajsdelivery.com
Attack Patterns
T1064
T1505
T1082
T1057
T1496
T1083
T1055
T1098
T1140
T1027
T1056
T1584
T1078
T1059
CVE-2023-6961
CVE-2023-40000
CVE-2024-2194