Hackers exploit WordPress vulnerability within hours of PoC exploit release

Threat actors have started exploiting a recently disclosed vulnerability in WordPress, within 24 hours of the proof-of-concept (PoC) exploit being published by the company, according to a blog by Akamai.

The high-severity vulnerability — CVE-2023-30777, which affects the WordPress Advanced Custom Fields plugin — was identified by a Patchstack researcher on May 2.

The exploitation of the vulnerability leads to a cross-site scripting (XSS) attack in which a threat actor can inject malicious scripts, redirects, advertisements, and other forms of URL manipulation into a victim site. This could, in turn, push those illegitimate scripts to visitors of that affected site. The plugin has over two million active users across the world.

“This vulnerability allows any unauthenticated user from stealing sensitive information to, in this case, privilege escalation on the WordPress site by tricking privileged users to visit the crafted URL path. The described vulnerability was fixed in version 6.1.6, also fixed in version 5.12.6,” Patchstack said in a detailed report on May 5 that  included an example of a payload. 

Security researchers at Akamai have now found that there has been a significant attack attempt within 48 hours of the sample code being posted. Threat actors have used the sample to scan for vulnerable websites that have not applied the patch or upgraded to the latest version. 

Response time for attackers is rapidly decreasing

The observation highlights that the response time for attackers is rapidly decreasing, increasing the need for vigorous and prompt patch management, Akamai said in the blog. 

“Within a number of hours following the company’s announcement of the vulnerability and the associated patch, we saw increased XSS activity. One, in particular, stood out: the PoC query itself,” Akamai said. 

In the immediate 48 hours after the details were published, Akamai saw a significant amount of scanning activity. This is consistent with attackers’ activity seen in other zero-day vulnerabilities as well.

“It is common for security researchers, hobbyists, and companies searching for their risk profile to examine new vulnerabilities upon release. However, the volume is increasing, and the amount of time between release and said growth is drastically decreasing,” Akamai said. Attacks started within 24 hours of the POC being made public. 

The threat actor copied and used the sample code

In the activity monitored by Akamai, the threat actor copied and used the Patchstack sample code from the write-up. This activity was carried out across all verticals. 

“This breadth of activity and the complete lack of effort to create a new exploit code tells us the threat actor is not sophisticated. The actor was scanning for vulnerable sites and attempting to exploit an easy target,” Akamai said. 

This shows the importance of patch management and the quick application of patches to ensure security. “As was demonstrated here, the rate of exploitation of emerging and recently disclosed vulnerabilities remains high — and is getting faster,” Akamai said, adding that this highlights the need for proper tooling to provide real-time visibility and mitigation options for these types of attacks.

Older unpatched vulnerabilities give easy access to attackers

This case demonstrates the speed at which the attackers attempt to exploit unpatched vulnerabilities. Known vulnerabilities as old as 2017 are still being successfully exploited in wide-ranging attacks as organizations fail to patch or remediate them successfully, according to Tenable.

State-sponsored threat actors also used the known vulnerabilities to gain initial access to government organizations and disrupt critical infrastructure, Tenable said. The security firm advised that organizations should focus on preventive cybersecurity measures rather than reactive post-event cybersecurity measures to mitigate risk. Regular updates and patches should be applied.