Cloud security provider Fastly uncovers critical flaws in widely used plugins, exposing millions of WordPress websites to potential compromise.
Fastly’s security researchers identified unauthenticated stored Cross-Site Scripting (XSS) vulnerabilities in three popular WordPress plugins: WP Meta SEO, WP Statistics, and LiteSpeed Cache.
These vulnerabilities allow attackers to inject malicious scripts into websites, potentially creating backdoors for unauthorized access. Millions of websites are at risk.
WP Meta SEO, with over 600,000 active installations, is susceptible to a vulnerability (CVE-2023-6961) that attackers can exploit by sending a malicious payload. This could grant them access to sensitive information like cookies and session tokens.
An even larger number of websites, potentially nearly half of all those using the plugin (over 5 million active installations), are vulnerable due to a flaw (CVE-2024-2194) in WP Statistics versions 14.5 and earlier. This vulnerability allows attackers to inject malicious scripts directly into websites.
Cybersecurity researchers have warned that several serious #vulnerabilities in #WordPress plugins are actively being exploited by malicious actors to create fake administrator accountshttps://t.co/X68WDHP8Os
— Gray Hats (@the_yellow_fall) June 3, 2024
LiteSpeed Cache, another popular plugin with millions of active users, is also affected by a vulnerability (CVE-2023-40000). This flaw allows attackers to inject malicious scripts disguised as admin notifications, potentially compromising websites when administrators access specific backend pages.
The consequences of these vulnerabilities can be severe. Attackers could exploit them to:
- Create new administrative accounts on compromised websites, granting them full control.
- Inject PHP backdoors into website files, providing permanent unauthorized access.
- Install tracking scripts to monitor compromised websites and steal sensitive data from visitors and administrators.
- Deface websites, altering their appearance and potentially displaying malicious content.
Fastly emphasizes the importance of regularly updating WordPress core software, plugins, and themes. Website owners should also prioritize validating and sanitizing user-generated content to prevent malicious script injection.
Implementing a Web Application Firewall (WAF) and enforcing strong passwords with Multi-Factor Authentication (MFA) can further bolster website security.
Protect Your Site with Cloudways Malware Protection
Shield your applications from vulnerabilities. Enjoy real-time scans, scheduled scans, and automated cleanup to keep your files and database secure.
Abdul Rehman
Abdul is a tech-savvy, coffee-fueled, and creatively driven marketer who loves keeping up with the latest software updates and tech gadgets. He's also a skilled technical writer who can explain complex concepts simply for a broad audience. Abdul enjoys sharing his knowledge of the Cloud industry through user manuals, documentation, and blog posts.
