Hackers are reportedly using an unauthorized cross-site stored scripting (XSS) flaw in a WordPress plugin to target thousands of websites, experts have warned.
Cybercriminals can use XSS for a number of things, from stealing sensitive data and sessions, to completely taking over a vulnerable website. In this particular case, the threat actors can create administrator accounts, which is enough privilege to take control of the entire website.
Millions of websites affected
The creators of Lovely Cookies recently released a bug patch, so if you’re using the plugin, be sure to update it to version 2.10.2.
“According to our records, the vulnerability has been actively attacked since February 5, 2023, but this is the largest attack we have seen against it,” Defiant’s Ram Gall said. “We have blocked nearly 3 million attacks on more than 1.5 million websites, from nearly 14,000 IP addresses since May 23, 2023, and the attacks are continuing.”
The silver lining in the news is that the attackers’ exploit appears to be misconfigured in a way that is unlikely to spread a payload, even if it targets a website running an old, vulnerable version of the plugin. However, researchers urge webmasters and owners to apply the patch, as even a failed attempt can mess up the plugin configuration.
The patch also sorts this issue out, as the plugin is able to fix itself.
Moreover, once the hacker realizes his error, he can quickly remedy it and infect sites that are not yet patched.
Via: Sleeping Computer