Ongoing attacks target an XSS (Unauthenticated Stored Cross-Site Scripting) vulnerability in a WordPress cookie consent plugin named Beautiful Cookie Consent Banner with over 40,000 active installs.
The impact can include unauthorized access to sensitive information, session hijacking, malware infections via redirects to malicious websites, or complete compromise of the target’s system.
Security firm WordPress Defiant, which spotted the attacks, claims that the vulnerability in question also allows unauthenticated attackers to create rogue administrator accounts on WordPress websites running unpatched versions of plugins (up to ‘to 2.10.1 inclusive).
The security flaw exploited in this campaign was patched in January with the release of version 2.10.2.
“According to our records, the vulnerability has been actively attacked since February 5, 2023, but this is the largest attack against it we’ve seen,” threat analyst Ram Gall said.
“We’ve blocked nearly 3 million attacks against more than 1.5 million sites, from nearly 14,000 IP addresses since May 23, 2023, and the attacks are continuing.”
Despite the large-scale nature of this ongoing attack campaign, Gall claims the threat actor is using a misconfigured exploit that would likely not deploy a payload even when targeting a WordPress site running a plugin version vulnerable.
Even so, administrators or owners of websites using the Beautiful Cookie Consent Banner plugin are advised to update it to the latest version, as even a failed attack could corrupt the plugin configuration stored in the nsc_bar_bannersettings_json option.
Patched versions of the plugin have also been updated to fix themselves in case the website is targeted by these attacks.
While the current wave of attacks might not be able to inject websites with a malicious payload, the threat actor behind this campaign could fix this problem at any time and potentially infect any remaining websites. exposed.
The campaigns began after proof-of-concept (PoC) exploits were published, allowing unauthenticated attackers to hijack websites after resetting admin passwords and gaining privileged access, respectively.