Connect with us

Hi, what are you looking for?


Malware & Threats

Critical WordPress Plugin Flaws Exploited to Inject Malicious Scripts and Backdoors

Malicious campaign exploits high-severity XSS flaws in three WordPress plugins to backdoor websites.

Vulnerabilities in three WordPress plugins are being exploited to inject malicious scripts and backdoors into websites, according to a warning from Fastly.

The flaws can be exploited to execute unauthenticated stored cross-site scripting (XSS) attacks, allowing attackers to create a new WordPress administrator account, inject PHP backdoors in plugin and theme files, and set up tracking scripts to monitor the infected targets.

According to Fastly, there has been a significant number of exploitation attempts originating from IPs associated with the Autonomous System (AS) IP Volume Inc.

Impacting the WP Statistics plugin, which has over 600,000 active installations, the first bug allows attackers to inject scripts via the URL search parameter. Disclosed in March and impacting versions 14.5 and earlier of the plugin, the security defect is tracked as CVE-2024-2194.

“These scripts are executed whenever a user accesses an injected page. The attacker repeatedly sends requests containing this payload to ensure it appears on the most visited pages, adding the ‘utm_id’ parameter to these requests,” Fastly said in an advisory.

The second bug, CVE-2023-6961, impacts the WP Meta SEO plugin versions 4.5.12 and earlier. The plugin has over 20,000 active installations.

The attackers have been exploiting the bug to inject a payload into pages generating a 404 response. When the page is loaded in an administrator’s browser, the script pulls obfuscated JavaScript code from a remote server and, if the victim is authenticated, the payload steals their credentials.

As part of the campaign, threat actors have been also exploiting CVE-2023-40000, a vulnerability in the LiteSpeed Cache plugin versions and earlier. The plugin has over 5 million active installations.

Advertisement. Scroll to continue reading.

The attackers were seen disguising the XSS payload as an admin notification. As soon as an administrator would access a backend page, the script would “execute using their credentials for subsequent malicious actions”.

Fastly says it has identified five domains being referenced in the malicious payloads, along with two additional domains used for tracking. At least one of these domains was previously associated with the exploitation of vulnerable WordPress plugins.

Related: Critical WordPress Plugin Flaw Exploited to Inject Backdoors

Related: Critical Vulnerability Found in LayerSlider Plugin on WordPress Sites

Related: Discontinued Security Plugins Expose WordPress Sites to Takeover

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.


People on the Move

Gabriel Agboruche has been named Executive Director of OT and Cybersecurity at Jacobs.

Data security startup Reco adds Merritt Baer as CISO

Chris Pashley has been named CISO at Advanced Research Projects Agency for Health (ARPA-H).

More People On The Move

Expert Insights