Wordfence analysts noticed that the XSS vulnerability in the Coming Soon Page & Maintenance Mode plugin was reported last week is already being used by attackers. Vulnerability allows unauthorized attackers to inject JavaScript or HTML on the front-end of vulnerable sites running plugin version 1.7.8 or lower. This code helps to load a payload on the site from a third-party domain controlled by attackers.
Thus, victims are first redirected to a domain that checks the type of device they are using, User-Agent and, based on this and other factors, redirects the visitor to one of the types of malicious sites (fake technical support resources, porn sites, downloads of various Android APKs, suspicious pharmaceutical pages). The researchers also found sites that try to directly attack the user’s browser using various tricks and exploits.
The researchers write that the operators of this campaign used obfuscated payloads, and also involved a large number of sites in the attacks (obviously trying to cover their tracks and confuse information security specialists).
In addition, in addition to redirects, attackers introduce pop-up ads on victims’ websites. The JavaScript code responsible for this was found on domains associated with this malicious campaign, and experts also found injections that extract scripts from legitimate sites that were previously infected using other means.
Wordfence reminds you that similar attacks on plugins have happened before. For example, in the spring of this year, hackers similarly used a bug in the Yellow Pencil Visual Theme Customizer plugin, and also in plugin Yuzo Related Posts.
Source: xaker.ru