Ongoing attacks are targeting an Unauthenticated Stored Cross-Site Scripting vulnerability in Beautiful Cookie Consent Banner, a WordPress plugin installed on over 40,000 sites.
The vulnerability offers unauthenticated attackers the ability to add malicious JavaScript to a website, potentially allowing redirects to malvertizing sites as well as the creation of malicious admin users, both of which are appealing use cases for attackers.
The Beautiful Cookie Consent Banner for WordPress is vulnerable to Stored Cross-Site Scripting via the nsc_bar_content_href parameter in versions up to, and including, 2.10.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. A partial patch was made available in 2.10.1 and the issue was fully patched in 2.10.2.
According to our records, the vulnerability has been actively attacked since February 5, 2023, but this is the largest attack against it that we have seen. We have blocked nearly 3 million attacks against more than 1.5 million sites, from nearly 14,000 IP addresses since May 23, 2023, and attacks are ongoing.
Wordfence
Wordfence security researchers have included the top 20 attacking IP addresses:
- 209.126.12.142
- 101.34.223.139
- 92.204.37.157
- 66.37.4.138
- 92.205.48.232
- 212.237.233.32
- 195.201.82.166
- 67.205.58.212
- 51.38.27.102
- 173.236.213.148
- 207.244.241.230
- 74.208.177.185
- 92.204.33.117
- 134.119.0.186
- 5.9.238.21
- 92.205.64.149
- 94.158.149.174
- 173.236.215.161
- 92.205.48.177
- 190.54.62.76
If your site was impacted by this or an earlier attack campaign, it may have corrupted the nsc_bar_bannersettings_json option in your database. The plugin’s developers have included functionality in patched versions to repair any changes made as a result of this exploit.
We recommend updating to the latest version, which is 2.13.0 at the time of this writing, as soon as possible.
