Wordfence's Defiant Threat Intelligence team observed an ongoing malvertising campaign that abuses stored cross-site scripting (XSS) vulnerability in the Coming Soon Page & Maintenance Mode WordPress plugin.
What is the vulnerability?
This causes the compromised WordPress sites to display unwanted popup ads and redirect visitors to malicious landing pages, including tech support scams, malicious Android APKs, and pharmaceutical ads.
Once the payload executes in a visitor’s browser, an initial redirect is performed, redirecting the visitor to a new destination based on the type of device used by the visitor.
“The eventual destination sites vary in scope and intent. Some redirects land users on typical illegitimate ads for pharmaceuticals and pornography, while others attempt direct malicious activity against the user’s browser,” the researchers said.
The XSS injection attacks launched by the attackers are originating from IP addresses connected to popular hosting providers, obfuscated PHP shells with limited functionality. These attacks are performed by using a small array of compromised sites in order to hide the source of the activities.
The XSS flaw has been patched in the WordPress plugin version 1.7.9.