Massive Attack Campaign Targets Unpatched WordPress Sites
Cybersecurity firm Wordfence has reported a massive attack campaign targeting millions of WordPress websites. The ongoing attacks exploit vulnerabilities found in outdated plugins and themes, with the primary objective of gaining complete control over the compromised sites by creating rogue administrator accounts. The campaign was first observed on a large scale around May 9, 2024, and originates from a diverse range of over 10,000 IP addresses, indicating a widespread and coordinated effort by the threat actors.
Exploitation via Stored Cross-Site Scripting
The attackers leverage a stored Cross-Site Scripting (XSS) vulnerability present in an outdated WordPress plugin. Once the malicious code is injected into a target site, it remains dormant until an administrator logs in. When the administrator accesses their dashboard, the stored XSS payload executes a malicious JavaScript file in their browser. This script then automates the creation of a new, unauthorized administrator account on the WordPress site. The rogue user is consistently named ‘wpsecurity_plugin’, giving the attackers persistent, high-level access to the website’s backend and content management system.
Backdoor Installation and Campaign Scale
After creating the rogue administrator, the attack proceeds to install a backdoor for long-term control. The malicious script injects code into the active theme’s files, which enables the attackers to execute arbitrary code on the server remotely. This ensures they maintain access even if the initial vulnerability is patched or the rogue admin user is discovered and removed. The scale of this campaign is significant, with Wordfence reporting that it has blocked over 5 million attack attempts targeting this specific vulnerability. The firm advises all WordPress administrators to immediately update all plugins and themes to their latest available versions to protect their sites from this active threat.
Concise Cyber 