Up to 1.5 million WordPress sites could be hit by this security flaw - so patch up now

A popular WordPress plugin was found vulnerable to XSS

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Hackers are reportedly using an Unauthenticated Stored Cross-Site Scripting (XSS) flaw in aWordPressplugin to target thousands of websites, experts have warned.

Cybersecurity researchers from Defiant discovered the flaw in Beautiful Cookie Consent Banner, a WP cookie consent plugin with more than 40,000 active installations. The attackers could use the vulnerability to add malicious JavaScripts into the compromised websites, which would then be executed in the visitors’ browsers.

Cybercriminals can use XSS for a number of things, from stealing sensitive data and sessions, to complete takeover of the vulnerable website. In this particular case, threat actors can create admin accounts, which is enough privilege to completely take over the website.

Millions of affected sites

Beautiful Cookie’s creators recently released a patch for the flaw, so if you’re using the plugin, make sure it’s updated to version 2.10.2.

“According to our records, the vulnerability has been actively attacked since February 5, 2023, but this is the largest attack against it that we have seen,” Defiant’s Ram Gall said. “We have blocked nearly 3 million attacks against more than 1.5 million sites, from nearly 14,000 IP addresses since May 23, 2023, and attacks are ongoing.”

Critical WordPress plugin bug leaves millions of sites open to attack>Elementor website builder review>These are the best website builders right now

The silver lining in the news is that the attackers’ exploit seems to be misconfigured in a way that it’s unlikely to deploy a payload, even if it targets a website running an old and vulnerable version of the plugin. Still, the researchers urge webmasters and owners to apply the patch, as even a failed attempt can corrupt the plugin’s configuration.

The patch sorts this problem out as well, as the plugin is capable of repairing itself.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

What’s more, as soon as the hacker realizes their mistake, they can quickly address it and potentially infect the sites that haven’t been patched yet.

Via:BleepingComputer

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

This new phishing strategy utilizes GitHub comments to distribute malware

Should your VPN always be on?

VIPRE Security Group says its new endpoint protection tools can stamp out even the latest cybersecurity threats