WordPress XSS exploit has been the recent culprit in the list of cybersecurity breaches. With multiple websites becoming the victim like WordPress XSS exploit, data suggests that more than 18% of the websites have fallen prey to it.  It has been a major threat to the security of the users visiting the website as it captures the user data. In turn, it makes users vulnerable to phishing activities over the internet. Moreover, the wide use of the internet in all aspects of life also exposes the chances of legal problems.

In this article, we shall describe the important aspect of WordPress XSS exploit & cleaning hacked WordPress site. We shall discuss a case study of a recent WordPress XSS exploit that attacked more than 20,000 websites. Exploring how to prevent any such further attacks is also a part of our agenda in this article.

What is WordPress XSS exploit?

WordPress XSS exploit is a malicious XSS attack on the websites which put the users on the stake of privacy. A JavaScript code is run on the various websites that are using the WordPress platform. This code activates when a user visits a website and the virus then clings on to the web browser being used by the user.

Moreover, if you are a website owner it exposes you to the risk of getting your website’s data exposed. It can lead to a number of malicious activities.

So, what will happen if your website has been attacked? The worst-case scenario being completely banned by Google and your hosting partner. The loss of online reputation could have a domino effect which can even lead to lawsuits being filed against your website.

Is there a solution to it? Yes, well, we have got you completely covered against any such WordPress XSS exploit. Stay tuned as we will explore how you can put your head above the water and still keep your website running.

Mechanism of the WordPress XSS exploit

Though there are two ways by which your WordPress website can be under the threat of XSS, we will discuss the most common way which deals with user input. In your website, the users can interact with your site through various places like the comment section, search bar, or the contact form.

Everything that the user types in here is actually stored in the website’s database. Though these bars are only open to letters and numbers, yet there are no website security measures controlling the input.

All that the cybercriminals need to do is to enter their JavaScript code in these bars and then it gets stored in the database of the website. This then gets them an entry into the database as executable links, which give them the control of your website.

Every time a user comes to the infected website, the WordPress XSS exploit gets activated as it can monitor your session on the website. Moreover, if you have another tab, which is open from the same browser, it can lead to tracking of the information from the other tab, thus impersonating you and causing you to harm subsequently.

A real-life example of WordPress XSS exploit

A recent situation has risen up on April 28, 2020, wherein more than 30% of the WordPress websites were faced with WordPress XSS exploit. The attack started with a few websites, but it soon escalated in numbers over the next few days. It rose by as high as 30 times over the normal attack volumes that we face.

You must be aware that the culprit behind all these attacks is just a single user, which we concluded after researching on the payload. The payload is being used to inject the malicious JS in WordPress which redirects users to malvertising websites.

Our research has also explored the fact that the attacker has explored some old vulnerabilities. It has led to an alteration in the domain names of the website to the one used in the XSS payload, thus leading them to malicious sites.

Is your website also under the attack?! Are you sure that your website is not under attack?

You might like to check out the Indications of Compromise to find out if your website is safe!

Let us find out what are the targets that have been compromised during the attack.

Targets of the recent XSS attack

Though most of the targets have been previously under the attack too, it might be interesting to find them out and protect our websites from them.

  • Easy2Map Plugin was exposed to the attack, which was installed in close to 3,000 websites. Though this plugin was removed back in 2019, yet if your website still uses it, you might like to have a check on the IOCs section of the article.
  • Blog Designer plugin was exposed to the attack. With nearly 1,000 users at the time of the attack, it turns out to be the second major target for the XSS attacks on WordPress.
  • The Newspaper theme on WordPress has also been targeted before. An XSS vulnerability in the theme led to a situation of compromise of the website.
  • Total Donations had an option update, which even helped the attackers to change the URL of the site is the next target. Though this has been removed from the Envato Marketplace back in 2019, yet, it had more than 100,000 users during the attack – Quite astonishing!

It must be interesting to note that these were not selected randomly as targets. The targets were either removed previously by WordPress or had a recent update that made them malicious. If you could trace the pattern, you can just save your website from the next XSS attack.

Getting into technicalities of the attack

The malicious activity started with an attempt to inject the JavaScript into the website which when opened by the administrator shall get infected. It aims at infecting the web browser of the administrator. It checks if the administrator has logged in to the system.

If the victim is not logged in yet, then they are led onto a malvertising website. If the victim is logged in, then a backdoor entry is attempted by the JavaScript that infects the browser of the user.

Indicators of Compromise

The indicators of compromise are the tell-tale signs which show if your website has been under the recent XSS attack or it has been spared. Let us have a look at them:

  • The following strings are used to determine the state of health of the website as the current payload runs these codes on your website to confirm the status. 

    ohjt689ig9 and trackstatisticss

  • Use of timestamps showing the last time your website had a check for the attack and saving it in a file named debugs.log ensures a continuous check on your website.
  • Any occurrence of the domain name stivenfernando[.]com on your website is a potential sign that your website has been compromised.

Is there a solution to the WordPress XSS exploit?

During such a situation, one of the most important steps is to ensure that your WordPress is continuously updated. You must not have the plugins which have long been removed or have the potential to be under the attack. Removing the plugins which are malicious is the best measure.

In addition, you can also run a firewall on your website to keep the malicious attacks at bay. It ensures that your site is protected against yet-to-be patched vulnerabilities. 

Is there any way to recover the site?

Well, if your website has been attacked by the XSS exploit, it is important to identify the type of XSS attack. If it were a stored XSS attack, it becomes important to locate the point of origin of the attack. Once located, start with sanitizing it, following by encoding the output data.

Follow it up by cleaning the database and removing the malicious bugs and invalidate all the active sessions, which would require all the users to log back into your site.

If your website has been attacked by reflected XSS, the procedure remains similar, although you might need to start with fixing the reflected component of the bug.

Lastly, it is always suggested to have a back-up of your website code on a server, so that your data doesn’t get lost under the circumstance of WordPress XSS exploit.