Hackers target 1.5M WordPress sites with cookie consent plugin exploit

Ongoing attacks are targeting an Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability in a WordPress cookie consent plugin named Beautiful Cookie Consent Banner with more than 40,000 active installs.

In XSS attacks, threat actors inject malicious JavaScript scripts into vulnerable websites that will execute within the visitors’ web browsers.

The impact can include unauthorized access to sensitive information, session hijacking, malware infections via redirects to malicious websites, or a complete compromise of the target’s system.

WordPress security company Defiant, which spotted the attacks, says the vulnerability in question also allows unauthenticated attackers to create rogue admin accounts on WordPress websites running unpatched plugin versions (up to and including 2.10.1).

The security flaw exploited in this campaign was patched in January with the release of version 2.10.2.

“According to our records, the vulnerability has been actively attacked since February 5, 2023, but this is the largest attack against it that we have seen,” threat analyst Ram Gall said.

“We have blocked nearly 3 million attacks against more than 1.5 million sites, from nearly 14,000 IP addresses since May 23, 2023, and attacks are ongoing.”

Blocked attacks
Blocked attacks (Wordfence)

​Despite the large-scale nature of this ongoing attack campaign, Gall says the threat actor uses a misconfigured exploit that would likely not deploy a payload even when targeting a WordPress site running a vulnerable plugin version.

Even so, admins or owners of websites using the Beautiful Cookie Consent Banner plugin are advised to update it to the latest version because even a failed attack could corrupt the plugin’s configuration stored in the nsc_bar_bannersettings_json option.

The plugin’s patched versions have also been updated to repair itself in the event that the website was targeted in these attacks.

While the current wave of attacks might not be able to inject websites with a malicious payload, the threat actor behind this campaign could address this issue at any time and potentially infect any sites that remain exposed.

Last week, threat actors also started probing the internet for WordPress websites running vulnerable versions of the Essential Addons for Elementor and WordPress Advanced Custom Fields plugins.

The campaigns started after the release of proof-of-concept (PoC) exploits, allowing unauthenticated attackers to hijack websites after resetting admin passwords and gaining privileged access, respectively.

This content was originally published here.