There are several ongoing attacks focused on targeting a vulnerability called Unauthenticated Stored Cross-Site Scripting (XSS) in a WordPress plugin called Beautiful Cookie Consent Banner. This plugin currently has over 40,000 active installations.
During XSS attacks, malicious JavaScript scripts are inserted by threat actors into websites that have vulnerabilities. These scripts are designed to execute within the web browsers of visitors to the affected websites.
The consequences of such attacks can range from unauthorised access to sensitive information, hijacking of user sessions, malware infections caused by redirects to malicious websites, to even a full compromise of the targeted system.
How was this spotted?
The attacks were detected by Defiant, a WordPress security company, who revealed that the identified vulnerability enables unauthenticated attackers to generate unauthorised admin accounts on WordPress websites that are running plugin versions without necessary patches (up to and including 2.10.1).
The security flaw exploited in this campaign was addressed in January when version 2.10.2 was released as a patch.
According to threat analyst Ram Gall, the vulnerability has been actively attacked since February 2023 but points out that this is the largest attack that they have seen. Nearly 3 million attacks have been blocked against more than 1.5 million sites since May 23rd 2023, but even with this pushback, the attacks are ongoing.
What next?
Website admins or owners utilising the Beautiful Cookie Consent Banner plugin are strongly recommended to promptly update it to the most recent version. This is crucial because even if an attack fails, it can still disrupt the plugin's configuration stored in the nsc_bar_bannersettings_json option.
The patched versions of the plugin have also been enhanced to automatically repair themselves in the event of the website becoming a target of these attacks.
Although the present wave of attacks may not currently inject websites with malicious payloads, it is important to note that the threat actor responsible for this campaign retains the capability to address this issue at any given time. As a result, any websites that remain vulnerable could potentially be infected in the future.
Following the publication of proof-of-concept (PoC) exploits, threat actors have initiated internet-wide scans targeting WordPress websites utilising outdated versions of the Essential Addons for Elementor and WordPress Advanced Custom Fields plugins.
These campaigns have been launched with the intention of exploiting the identified vulnerabilities, granting unauthenticated attackers the ability to reset admin passwords and obtain privileged access to the targeted websites. The escalation of these activities took place during the past week.
Strengthening Defences through Proactive Measures
Web application Penetration Testing plays a crucial role in preventing attacks like those targeting WordPress websites. By conducting comprehensive security assessments, organisations can proactively identify vulnerabilities and weaknesses within their web applications. Penetration Testing helps uncover potential entry points that threat actors may exploit, such as unpatched plugins or misconfigured settings.
Through rigorous testing, it allows businesses to gain insights into their web application's security posture and take necessary measures to strengthen defences.
By leveraging the expertise of skilled Penetration Testers, it makes it easier to identify and address vulnerabilities before malicious actors can exploit them. Regularly scheduled Penetration Testing enables continuous monitoring of web application security, providing a proactive defence against emerging threats and reducing the risk of successful attacks.
At Cybaverse, our team of Penetration Testers conducts comprehensive assessments of your web applications, network infrastructure, and systems, emulating real-world attack scenarios to uncover potential weaknesses. Their in-depth analysis provides valuable insights into your security posture, enabling you to prioritise remediation efforts and allocate resources effectively.
Want to find out more? Read about our Penetration Testing services here.
