Buzz
The cause of security vulnerabilities in the AMP plugin for WP is due to Nonce in older plugin versions that users are not rigorously checking. The latest plugin version (0.9.97.20) released two weeks ago has addressed these vulnerabilities.
Hacker Exploits Vulnerability in AMP Plugin for WP to Conduct XSS Attack
Unfortunately, some users remain oblivious to these security vulnerabilities and fail to update their software to the latest version for patches. Inadvertently, this sets a favorable stage for potential cyber attacks.
Get the latest version of WordPress here: Download the latest WordPress version.
According to WordFence threat analyst, Mikey Veenstra's research, a new campaign is underway, exploiting these vulnerabilities to carry out an XSS attack, compromising the rights of website Admins by disseminating malicious script files on susceptible WordPress pages.
In response to BleepingComputer, the researcher stated, 'All instances of attacks are automated. With the presence of the broken User-Agent string, 'Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv', in all identified attacks within this campaign, as well as the payload format irrespective of the large number of attacking IP addresses, it's uncertain whether these attacks are being executed manually or not.'
This malicious script file is stored at URL https://sslapis[.]com/assets/si/stat.js. When executed on the Admin's browser, it generates a new spoofed Admin user on the website.
'After creating a hidden iframe element on the page being viewed by the affected Admin, the script mimics the process of filling out a new user form. As part of this process, it selects the Admin role and triggers a click event () on the Submit button to create a new user with Admin access,' according to Veenstra's research.
Once the spoofed Admin account is added, it's configured with the username supportuser and email [email protected] as shown in the following code snippet.
After adding a new user, the script enumerates all installed plugins and injects a PHP backdoor into each plugin.
The added backdoors will be encoded using base64 encryption, but decoded as PHP code, then utilizing the extract() function to assign user input data to environment variables executed by the die() function.
This backdoor operates by reading variables appended to the URL of the backdoored plugin and assigning them as environment variables using the extract() function. The backdoor then executes the die() function, calling any injected command like the variable cdate with arguments for that function.
As AMP is a fairly popular WP plugin, given the severity of the vulnerability and ongoing attacks, all users are advised to exercise caution when Installing Plugins in WordPress and remove spoofed Admin accounts like supportuser or any unidentified Admin accounts, while updating to AMP plugin version 0.9.97.20 or higher.
The script also activates the WooCommerce plugin
Notably, the XSS script file also contains a function to activate the WooCommerce plugin. The script will connect to WordPress's plugin.php page, which contains a list of plugins and links to activate them. Then, it will search for the WooCommerce plugin and activate it if found.
WooCommerce is also one of the popular WordPress plugins found to have vulnerabilities allowing user access under Admin privileges.
According to BleepingComputer, WordFence's security researchers speculate the script could be used for payloads downloaded from C2 servers.
'The script used from the C2 server also defines the 'EnableReplace' function, which creates inline changes for specific WooCommerce pages, if any. It's unclear why JavaScript is used to initiate this phase of the attack, as the Admin account and PHP backdoor would allow attackers to make any direct changes to WooCommerce they desire. We assume the C2 server will deploy additional XSS payloads more easily due to these inline changes'.
