Subj : Up to 1.5 million WordPress sites could be hit by this security f To : All From : TechnologyDaily Date : Thu May 25 2023 20:30:04 Up to 1.5 million WordPress sites could be hit by this security flaw - so patch up now Date: Thu, 25 May 2023 19:11:12 +0000 Description: A popular WordPress plugin could have been exposing thousands of websites to potential takeover attacks. FULL STORY ====================================================================== Hackers are reportedly using an Unauthenticated Stored Cross-Site Scripting (XSS) flaw in a WordPress plugin to target thousands of websites, experts have warned. Cybersecurity researchers from Defiant discovered the flaw in Beautiful Cookie Consent Banner, a WP cookie consent plugin with more than 40,000 active installations. The attackers could use the vulnerability to add malicious JavaScripts into the compromised websites, which would then be executed in the visitors browsers. Cybercriminals can use XSS for a number of things, from stealing sensitive data and sessions, to complete takeover of the vulnerable website. In this particular case, threat actors can create admin accounts, which is enough privilege to completely take over the website. Millions of affected sites Beautiful Cookies creators recently released a patch for the flaw, so if youre using the plugin, make sure its updated to version 2.10.2. "According to our records, the vulnerability has been actively attacked since February 5, 2023, but this is the largest attack against it that we have seen," Defiants Ram Gall said. "We have blocked nearly 3 million attacks against more than 1.5 million sites, from nearly 14,000 IP addresses since May 23, 2023, and attacks are ongoing." Read more > Critical WordPress plugin bug leaves millions of sites open to attack > Elementor website builder review > These are the best website builders right now The silver lining in the news is that the attackers exploit seems to be misconfigured in a way that its unlikely to deploy a payload, even if it targets a website running an old and vulnerable version of the plugin. Still, the researchers urge webmasters and owners to apply the patch, as even a failed attempt can corrupt the plugins configuration. The patch sorts this problem out as well, as the plugin is capable of repairing itself. Whats more, as soon as the hacker realizes their mistake, they can quickly address it and potentially infect the sites that havent been patched yet. These are the best endpoint protection services right now Via: BleepingComputer ====================================================================== Link to news story: https://www.techradar.com/news/up-to-15-million-wordpress-sites-could-be-hit-b y-this-security-flaw-so-patch-up-now --- Mystic BBS v1.12 A47 (Linux/64) * Origin: tqwNet Technology News (1337:1/100) .