Wordfence analysts Β noticed that the XSS vulnerability in the Coming Soon Page & Maintenance Mode plugin was reported last week is already being used by attackers. Vulnerability allows unauthorized attackers to inject JavaScript or HTML on the front-end of vulnerable sites running plugin version 1.7.8 or lower. This code helps to load a payload on the site from a third-party domain controlled by attackers.
The researchers write that the operators of this campaign used obfuscated payloads, and also involved a large number of sites in the attacks (obviously trying to cover their tracks and confuse information security specialists).
In addition, in addition to redirects, attackers introduce pop-up ads on victimsβ websites. The JavaScript code responsible for this was found on domains associated with this malicious campaign, and experts also found injections that extract scripts from legitimate sites that were previously infected using other means.
Wordfence reminds you that similar attacks on plugins have happened before. For example, in the spring of this year, hackers similarly used a bug in the Yellow Pencil Visual Theme Customizer plugin, and also in plugin Yuzo Related Posts.
Source: xaker.ru