This Security Flaw Could Affect Up To 1.5 Million WordPress Sites, So Patch Now

Experts have warned that hackers are using an Unauthenticated Stored Cross-Site Scripting (XSS) flaw in a WordPress plugin to target thousands of websites.

The flaw was discovered by Defiant cybersecurity researchers in Beautiful Cookie Consent Banner, a WP cookie consent plugin with over 40,000 active installations. The vulnerability could be exploited by attackers to insert malicious JavaScripts into compromised websites, which would then be executed in visitors’ browsers.

Cybercriminals can use XSS for a variety of purposes, ranging from stealing sensitive data and sessions to completely taking over vulnerable websites. In this case, threat actors can create admin accounts with sufficient access to completely take over the website.

Millions of sites are affected

The creators of Beautiful Cookie recently released a patch for the flaw, so make sure you’re running version 2.10.2 of the plugin.

“The vulnerability has been actively attacked since February 5, 2023, according to our records, but this is the largest attack against it that we have seen,” Defiant’s Ram Gall said. “Since May 23, 2023, we have blocked nearly 3 million attacks against more than 1.5 million sites from nearly 14,000 IP addresses, and attacks continue.”

The attackers’ exploit appears to be misconfigured in such a way that it is unlikely to deploy a payload, even if it targets a website running an old and vulnerable version of the plugin. Nonetheless, the researchers urge webmasters and owners to install the patch because even a failed attempt can corrupt the plugin’s configuration.

This issue is also resolved by the patch, as the plugin is capable of self-repair.

Furthermore, as soon as the hacker realizes their error, they can quickly correct it, potentially infecting unpatched sites.

Via: BleepingComputer

This security flaw could affect up to 1.5 million WordPress sites, so patch now