Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label XSS Bug. Show all posts

Over 17,000 Websites Exploited in Massive Balada Injector Campaign

 

Over 17,000 WordPress websites have been compromised as a result of the notorious Balada Injector attack. The Balada Injector, discovered in 2022 but thought to have been active since 2017, weaponizes vulnerabilities in premium WordPress themes and plugins to install malicious backdoors. 

Following infection, these backdoors redirect website users to fake tech help pages, bogus lottery winnings, fraudulent push notification hoaxes, and other scams. 

With such a wide range of deceptive techniques, experts believe that Balada Injector is either a service offered to other threat actors or a direct component of a scam operation. 

The recent wave of attacks is being blamed on the tagDiv Composer plugin's CVE-2023-3169 cross-site scripting (XSS) vulnerability. This plugin is found on an estimated 155,000 websites with the Newspaper and Newsmag WordPress themes, both premium products, laying the groundwork for possible attacks. 

This effort started in September, following the public disclosure of the vulnerability and the publishing of a proof-of-concept. 

In a recent analysis, website security firm Sucuri exposed the extent of the infiltration, citing specific indications of the attack, such as a malicious script located within separate tags. Sucuri discovered six different attack waves: 

Over 5,000 websites were compromised by malicious script injections from stay.decentralappps[.]com. 

  • Making rogue WordPress administrator accounts with the login "greeceman" at first, then switching to ones that are automatically produced based on website hostnames.
  • By using the WordPress theme editor to make changes to the 404.php file for the Newspaper theme, you can gain persistence covertly.
  • The installation of the deceptive wp-zexit plugin, which emulates authorised WordPress administrator activities. 
  • Three new malicious domains with higher obfuscation were introduced, complicating detection attempts. 
  • Using promsmotion[.]com subdomains instead of the preceding domain, three distinct injection methods were discovered on a total of 235 websites. 

The CVE-2023-3169 vulnerability was used to compromise over 9,000 of the 17,000 compromised sites, demonstrating the attackers' tremendous effectiveness and ability to adapt quickly for maximum impact. 

Webmasters and site owners should immediately upgrade the tagDiv Composer plugin to version 4.2 or later, which addresses the known flaw. Regular upgrades to themes, plugins, and all website components remain critical in protecting against such formidable threats.

Critical XSS Bug in WordPress Plugin Puts Thousands of Retail Sites at Risk

 

Cybersecurity researchers have unearthed Variation Swatches plugin safety flaw that allows hackers attackers with low-level permissions tweak vital settings on e-commerce websites to insert malicious scripts. 

The plugin “Variation Swatches for WooCommerce,” mounted across 80,000 WordPress-powered retail sites, contains a stored cross-site scripting (XSS) security flaw that allows threat actors to inject destructive web scripts and take over sites. 

Variation Swatches is built to allow ecommerce sites using the WooCommerce platform for WordPress sites to display and sell multiple variations of a single product. Unfortunately, susceptible variations can also offer individuals without administrative capabilities — like customers or subscribers — access to the plugin’s settings, according to researchers from Wordfence. 

“More specifically, the plugin registered the ‘tawcvs_save_settings,’ ‘update_attribute_type_setting’ and ‘update_product_attr_type’ functions, which were all hooked to various AJAX actions. These three functions were all missing capability checks as well as nonce checks, which provide cross-site request forgery protection,” Wordfence’s Chloe Chamberland stated, in a recent blog post. 

Providing minimal-permissioned customer access to the “tawcvs_save_settings” function is especially troubling, she said, because that permission can be exploited to update the plugin’s settings and insert destructive web scripts that would run anytime a site owner accessed the options of the plugin. 

“As always, malicious web scripts can be crafted to inject new administrative user accounts or even modify a plugin or theme file to include a backdoor, which in turn would grant the attacker the ability to completely take over a site,” Chamberland added.

The flaw tracked as CVE-2021-42367 impacted all end users of the plugin until Nov. 23, when it was patched in the latest 2.1.2 version. Customers of WordPress are already dealing with cascading flaws, incidents, and hacks. Last week, for instance, GoDaddy, the world’s largest domain registrar, was hacked — affecting 1.2 million consumers and GoDaddy Managed WordPress resellers. 

Earlier this year in October, a WordPress plugin bug was spotted in the Hashthemes Demo Importer offering, that allowed users with simple subscriber permissions to wipe sites of all content. To minimize this latest plugin bug, Chamberland advised customers to upgrade their websites with the modified version of the Variation Swatches for WooCommerce. 

In mid-Nov. a further glitchy WordPress plugin allowed threat actors to exhibit a phony ransomware encryption message demanding nearly $6,000 to unlock the website. The threat was null and void; all the end-users were required to do was delete the plugin, but had the hackers deployed actual ransomware the result could have been disastrous.