Nearly 1 million WordPress sites are being hit by what is likely a single threat actor attempting to inject a redirect into the sites by exploiting a cross site scripting vulnerability.
Ameet Naik, the security evangelist at PerimeterX, noted that an XSS attack while being used for a redirect here, can lead to more serious issues.
Recommended Reading: WordPress WooCommerce sites targeted by credit card skimmers
The scale of the attacks is staggering. WordFence believes the malicious actor may have launched a few small-scale attacks before April 28 but has since massively increased the number of incidents with 20 million attacks attempted against more than 500,000 individual sites on May 3 alone.WordPress plugins have been the focus of many attacks, but this campaign is by far the largest spotted.
“Over the course of the past month in total, we’ve detected over 24,000 distinct IP addresses sending requests matching these attacks to over 900,000 sites,” the team reported.
The attacks are targeting five WordPress plugins — some of which have been discontinued, but are still in use by certain site operators — with vulnerabilities that may have not yet been patched by users. These include an XSS vulnerability in Easy2Map, a plugin with only 3,000 installs, which was pulled from the WordPress repository in August 2019, but was the focus of about half of the current attacks. Also targeted was an options update vulnerability in the plugin Total Donations, which was removed from the Envato Marketplace in early 2019.