This website uses cookies

Our website, platform and/or any sub domains use cookies to understand how you use our services, and to improve both your experience and our marketing relevance.

🔊 Web Growth Summit is here! Learn from industry experts on July 17-18, 2024. REGISTER NOW→

Millions of WordPress Sites Exposed: Popular Plugins Leave Backdoor Wide Open 

Updated on June 4, 2024

2 Min Read
Millions of WordPress Sites Exposed: Popular Plugins Leave Backdoor Wide Open 


Cloud security provider Fastly uncovers critical flaws in widely used plugins, exposing millions of WordPress websites to potential compromise.

Fastly’s security researchers identified unauthenticated stored Cross-Site Scripting (XSS) vulnerabilities in three popular WordPress plugins: WP Meta SEO, WP Statistics, and LiteSpeed Cache.

These vulnerabilities allow attackers to inject malicious scripts into websites, potentially creating backdoors for unauthorized access. Millions of websites are at risk.

via GIPHY

WP Meta SEO, with over 600,000 active installations, is susceptible to a vulnerability (CVE-2023-6961) that attackers can exploit by sending a malicious payload. This could grant them access to sensitive information like cookies and session tokens.

An even larger number of websites, potentially nearly half of all those using the plugin (over 5 million active installations), are vulnerable due to a flaw (CVE-2024-2194) in WP Statistics versions 14.5 and earlier. This vulnerability allows attackers to inject malicious scripts directly into websites.

LiteSpeed Cache, another popular plugin with millions of active users, is also affected by a vulnerability (CVE-2023-40000). This flaw allows attackers to inject malicious scripts disguised as admin notifications, potentially compromising websites when administrators access specific backend pages.

The consequences of these vulnerabilities can be severe. Attackers could exploit them to:

  • Create new administrative accounts on compromised websites, granting them full control.
  • Inject PHP backdoors into website files, providing permanent unauthorized access.
  • Install tracking scripts to monitor compromised websites and steal sensitive data from visitors and administrators.
  • Deface websites, altering their appearance and potentially displaying malicious content.

Fastly emphasizes the importance of regularly updating WordPress core software, plugins, and themes. Website owners should also prioritize validating and sanitizing user-generated content to prevent malicious script injection.

via GIPHY

Implementing a Web Application Firewall (WAF) and enforcing strong passwords with Multi-Factor Authentication (MFA) can further bolster website security.

Protect Your Site with Cloudways Malware Protection

Shield your applications from vulnerabilities. Enjoy real-time scans, scheduled scans, and automated cleanup to keep your files and database secure.

Share your opinion in the comment section. COMMENT NOW

Share This Article

Start Growing with Cloudways Today.

Our Clients Love us because we never compromise on these

Abdul Rehman

Abdul is a tech-savvy, coffee-fueled, and creatively driven marketer who loves keeping up with the latest software updates and tech gadgets. He's also a skilled technical writer who can explain complex concepts simply for a broad audience. Abdul enjoys sharing his knowledge of the Cloud industry through user manuals, documentation, and blog posts.

×

Thankyou for Subscribing Us!

×

Webinar: How to Get 100% Scores on Core Web Vitals

Join Joe Williams & Aleksandar Savkovic on 29th of March, 2021.

Do you like what you read?

Get the Latest Updates

Share Your Feedback

Please insert Content

Thank you for your feedback!

Do you like what you read?

Get the Latest Updates

Share Your Feedback

Please insert Content

Thank you for your feedback!

Want to Experience the Cloudways Platform in Its Full Glory?

Take a FREE guided tour of Cloudways and see for yourself how easily you can manage your server & apps on the leading cloud-hosting platform.

Start my tour

CYBER WEEK SAVINGS

  • 0

    Days

  • 0

    Hours

  • 0

    Mints

  • 0

    Sec

GET OFFER

For 4 Months &
40 Free Migrations

For 4 Months &
40 Free Migrations

Upgrade Now