The WordPress XSS exploit has been the recent culprit in the list of cybersecurity breaches. With multiple websites becoming the victim, such as the WordPress XSS exploit, the data suggests that more than 18% of websites have been victimized by it. It has been a great threat to the safety of users who visit the website, as it captures user data. In turn, it makes users vulnerable to phishing activities over the Internet. Furthermore, the extensive use of the Internet in all aspects of life also exposes the possibilities of legal problems.

In this article, we will describe the important aspect of exploiting WordPress XSS and cleaning up the hacked WordPress site. We will discuss a case study of a recent WordPress XSS exploit targeting over 20,000 websites. Exploring how to prevent such additional attacks is also on our agenda in this article.

What is WordPress XSS exploit?

The WordPress XSS exploit is a malicious XSS attack on websites that puts users at risk for privacy. JavaScript code is executed on various websites that use the WordPress platform. This code is activated when a user visits a website and the virus remains in the web browser used by the user.

Also, if you have a website, it puts you at risk of seeing your website data. This can lead to a number of malicious activities.

What will happen if your website has been attacked? The worst case scenario is totally prohibited by Google and your hosting partner. Losing your online reputation could have a domino effect that could even result in legal action against your website.

Is there a solution? Yes, well, we completely covered you against such a WordPress XSS exploit. Stay tuned while we explore how you can get your head out of the water and run your website.

WordPress XSS operating mechanism

While there are two ways in which your WordPress website can be threatened by XSS, we will discuss the most common way to handle user input. In your website, users can interact with your site through various places like the comments section, the search bar or the contact form.

Everything the user enters here is actually stored in the website database. Although these bars are only open to letters and numbers, no website security measures control entry.

All that cybercriminals need to do is enter their JavaScript code into these bars and then it is stored in the website database. This then gives them access to the database in the form of executable links, which give them control of your website.

Each time a user arrives at the infected website, the WordPress XSS exploit is activated because it can monitor your session on the website. In addition, if you have another tab, which is opened from the same browser, this can cause information from the other tab to be tracked, impersonate you and harm you later.

A real example of a WordPress XSS exploit

A recent situation increased on April 28, 2020, where more than 30% of WordPress websites faced a WordPress XSS exploit. The attack started with a few websites, but quickly increased in number over the next few days. It has increased up to 30 times over the normal attack volumes we face.

You should know that the culprit behind all these attacks is only one user, which we concluded after studying the payload. The payload is used to inject malicious JS into WordPress which redirects users to malicious websites.

Our research also explored the fact that the attacker explored old vulnerabilities. This led to a modification of the domain names of the website to the one used in the XSS payload, thus leading them to malicious sites.

Is your website also under attack ?! Are you sure your website is not under attack?

You may want to check the tradeoffs to find out if your website is safe!

Let’s see which targets were compromised during the attack.

Targets of the recent XSS attack

Although most of the targets have already been attacked, it might be useful to discover them and protect our websites from them.

  • The Easy2Map plugin was exposed to the attack, which was installed on nearly 3,000 websites. Although this plugin was removed in 2019, if your website is still using it, you can check out the IOC section of the article.
  • The Blog Designer plugin has been exposed to attacks. With nearly 1000 users at the time of the attack, it turns out to be the second major target of XSS attacks on WordPress.
  • The newspaper theme on WordPress has also been targeted before. An XSS vulnerability in the theme has led to a site compromise situation.
  • Total Donations had an updated option, which even helped attackers change the site’s URL is the next target. Although it was removed from the Envato market in 2019, it had more than 100,000 users in the attack – pretty incredible!

It should be interesting to note that these were not chosen at random as targets. The targets were either deleted by WordPress previously or had a recent update which made them malicious. If you could follow the pattern, you could just save your website from the next XSS attack.

Getting into the technical details of the attack

The malicious activity started with an attempt to inject JavaScript into the website which, once opened by the administrator, will be infected. It aims to infect the administrator’s web browser. It checks whether the administrator has logged into the system.

If the victim is not yet connected, he is directed to a malformed website. If the victim is logged in, a backdoor entry is attempted by the JavaScript that infects the user’s browser.

Compromise indicators

Compromise flags are telltale signs of whether your website has been the victim of the recent XSS attack or has been spared. Let’s see them:

  • The following strings are used to determine the health status of the website, as the current payload runs these codes on your website to confirm the status: ohjt689ig9 and trackstatisticss
  • Using timestamps to indicate the last time your website verified the attack and saving it to a file called debugs.log ensures continuous verification of your website.
  • Any occurrence of the stivenfernando [.] Com domain name on your website is a potential sign that your website has been compromised.

Is there any solution for WordPress XSS exploit?

During such a situation, one of the most important steps is to make sure that your WordPress is continually updated. It should not have plugins that have been removed for a long time or that have the potential to be under attack. Removing plug-ins that are malicious is the best measure.

Plus, you can also run a firewall on your website to keep malicious attacks at bay. It ensures that your site is protected against vulnerabilities that have not yet been patched.

Is there a way to get the site back?

Well, if your website has been attacked by XSS exploit, it is important to identify the type of XSS attack. If it is a stored XSS attack, it is important to locate the point of origin of the attack. Once located, start disinfecting it, then encode the output data.

Continue cleaning up the database and removing malicious errors and invalidate all active sessions, which would require all users to log in to your site again.

If your website has been attacked by XSS mirror, the procedure is still similar, although you may need to start by repairing the mirror component of the error.

Finally, it is always suggested to have a backup of your website code on a server, so that your data is not lost under the circumstance of exploiting WordPress XSS.