Active Exploitation of Stored XSS Vulnerabilities in WordPress Plugins (CVE-2024-2194, CVE-2023-6961, CVE-2023-40000)

Security Update

Bar Refael

June 3, 2024

Recent cyberattacks have exploited stored cross-site scripting (XSS) vulnerabilities in several popular WordPress plugins. The affected plugins include WP Statistics, WP Meta SEO, and LiteSpeed Cache, with vulnerabilities identified as CVE-2024-2194, CVE-2023-6961, and CVE-2023-40000. These vulnerabilities stem from inadequate input sanitization and output escaping, allowing attackers to inject malicious scripts.

Vulnerability Overview

CVE-2024-2194:

  • Affected Plugin: WP Statistics (versions 14.5 and earlier)
  • Vulnerability: Stored XSS via the URL search parameter
  • Active Installations: Over 600,000
  • Disclosure Date: March 11, 2024

CVE-2023-6961:

  • Affected Plugin: WP Meta SEO (versions 4.5.12 and earlier)
  • Vulnerability: Stored XSS via the Referer HTTP header
  • Active Installations: Over 20,000
  • Disclosure Date: April 16, 2024

CVE-2023-40000:

  • Affected Plugin: LiteSpeed Cache (versions 5.7.0.1 and earlier)
  • Vulnerability: Stored XSS through ‘nameservers’ and ‘_msg’ parameters
  • Active Installations: Over 5 million
  • Disclosure Date: February 2024

Technical Details

Malicious JavaScript injected through these vulnerabilities can:

  1. Inject Malicious PHP Backdoors:
    • Into plugin and theme files.
  2. Create a New Administrator Account:
    • Username: admin
    • Password: 7F9SzCnS6g3AFLAO39Ro
  3. Initiate Tracking:
    • Implement tracking via JavaScript or a tracking pixel.

Threat Actor Activity

  • CVE-2024-2194:
    • Domain: media.cdnstaticjs[.]com
    • Geographic Concentration: Primarily from the Netherlands
  • CVE-2023-6961:
    • Domain: idc.cloudiync[.]com
    • Exploitation Attempts: Over 5 billion requests
  • CVE-2023-40000:
    • Domains: cloud.cdndynamic[.]com, go.kcloudinc[.]com, cdn.mediajsdelivery[.]com
    • IP Addresses: Distributed across 1664 distinct IP addresses

Indicators of Compromise (IoCs)

Domains:

  • media.cdnstaticjs[.]com
  • cloud.cdndynamic[.]com
  • idc.cloudiync[.]com
  • cdn.mediajsdelivery[.]com
  • go.kcloudinc[.]com
  • assets.scontentflow[.]com
  • cache.cloudswiftcdn[.]com

IP Addresses:

  • 80.82.76[.]214
  • 31.43.191[.]220
  • 94.102.51[.]144
  • 94.102.51[.]95
  • 91.223.82[.]150
  • 185.7.33[.]129
  • 101.99.75[.]178
  • 94.242.61[.]217
  • 80.82.78[.]133
  • 111.90.150[.]154
  • 103.155.93[.]120
  • 185.100.87[.]144
  • 185.162.130[.]23
  • 101.99.75[.]215
  • 111.90.150[.]123
  • 103.155.93[.]244
  • 185.209.162[.]247
  • 179.43.172[.]148
  • 185.159.82[.]103
  • 185.247.226[.]37
  • 185.165.169[.]62

Mitigation and Recommendations

  1. Update Affected Plugins: Apply patches for WP Statistics (version 14.5+), WP Meta SEO (version 4.5.13+), and LiteSpeed Cache (version 5.7.1+).
  2. Monitor for IoCs: Implement monitoring to detect malicious activity related to identified domains and IP addresses.
  3. Strengthen Security Posture: Enhance input sanitization and output escaping practices to prevent future XSS vulnerabilities

Stay Secure. Stay Informed.

OP Innovate Research Team.