Up to 1.5 million WordPress sites could be hit by this security flaw - so patch up now

Wordpress brand logo on computer screen. Man typing on the keyboard.
(Image credit: Shutterstock/David MG)

Hackers are reportedly using an Unauthenticated Stored Cross-Site Scripting (XSS) flaw in a WordPress plugin to target thousands of websites, experts have warned.

Cybersecurity researchers from Defiant discovered the flaw in Beautiful Cookie Consent Banner, a WP cookie consent plugin with more than 40,000 active installations. The attackers could use the vulnerability to add malicious JavaScripts into the compromised websites, which would then be executed in the visitors’ browsers. 

Cybercriminals can use XSS for a number of things, from stealing sensitive data and sessions, to complete takeover of the vulnerable website. In this particular case, threat actors can create admin accounts, which is enough privilege to completely take over the website. 

Millions of affected sites

Beautiful Cookie’s creators recently released a patch for the flaw, so if you’re using the plugin, make sure it’s updated to version 2.10.2.

"According to our records, the vulnerability has been actively attacked since February 5, 2023, but this is the largest attack against it that we have seen," Defiant’s Ram Gall said. "We have blocked nearly 3 million attacks against more than 1.5 million sites, from nearly 14,000 IP addresses since May 23, 2023, and attacks are ongoing."

The silver lining in the news is that the attackers’ exploit seems to be misconfigured in a way that it’s unlikely to deploy a payload, even if it targets a website running an old and vulnerable version of the plugin. Still, the researchers urge webmasters and owners to apply the patch, as even a failed attempt can corrupt the plugin’s configuration. 

The patch sorts this problem out as well, as the plugin is capable of repairing itself. 

What’s more, as soon as the hacker realizes their mistake, they can quickly address it and potentially infect the sites that haven’t been patched yet.

Via: BleepingComputer

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.