Active exploitation of stored XSS vulnerabilities in WordPress Plugins

May 31, 2024, 12:36 p.m.

Description

Recent months have witnessed active exploitation attempts targeting multiple cross-site scripting (XSS) vulnerabilities in popular WordPress plugins. The attacks involve injecting malicious scripts that create new admin accounts, install backdoors, and implement tracking mechanisms. The affected plugins include WP Statistics, WP Meta SEO, and LiteSpeed Cache, with exploitation observed from IP addresses linked to entities like IP Volume Inc. and Telkom Internet LTD, primarily concentrated in the Netherlands.

External References

https://www.fastly.com/blog/active-exploitation-unauthenticated-stored-xss-vulnerabilities-wordpress
https://otx.alienvault.com/pulse/6659c15932c593c6f030798e
Tags
CVE-2023-6961
wordpress
2024-05-31
xss
CVE-2023-40000
CVE-2024-2194

Date

  • Created: May 31, 2024, 12:23 p.m.
  • Published: May 31, 2024, 12:23 p.m.
  • Modified: May 31, 2024, 12:36 p.m.

Indicators

  • 94.242.61.217
  • 94.102.51.95
  • 91.223.82.150
  • 80.82.78.133
  • 80.82.76.214
  • 185.7.33.129
  • 185.247.226.37
  • 185.209.162.247
  • 185.165.169.62
  • 185.159.82.103
  • 179.43.172.148
  • 185.100.87.144
  • 111.90.150.154
  • 111.90.150.123
  • 103.155.93.244
  • 103.155.93.120
  • 101.99.75.215
  • 101.99.75.178
  • 185.162.130.23
  • 31.43.191.220
  • 94.102.51.144
  • admim@mystiqueapi.com
  • ur.mystiqueapi.com
  • media.cdnstaticjs.com
  • idc.cloudiync.com
  • go.kcloudinc.com
  • cloud.cdndynamic.com
  • cdn.mediajsdelivery.com
Download all indicators here!

Attack Patterns

Linked vulnerabilities

CVE-2023-40000

None
Published:

CVE-2023-6961

7.2
    WP Meta SEO plugin for WordPress
Published: May 2, 2024

CVE-2024-2194

None
Published: