The exploitation of the vulnerability leads to a cross-site scripting (XSS) attack in which a threat actor can inject malicious scripts, redirects, advertisements, and other forms of URL manipulation into a victim site. Credit: Alexander Gounder Threat actors have started exploiting a recently disclosed vulnerability in WordPress, within 24 hours of the proof-of-concept (PoC) exploit being published by the company, according to a blog by Akamai.The high-severity vulnerability — CVE-2023-30777, which affects the WordPress Advanced Custom Fields plugin — was identified by a Patchstack researcher on May 2.The exploitation of the vulnerability leads to a cross-site scripting (XSS) attack in which a threat actor can inject malicious scripts, redirects, advertisements, and other forms of URL manipulation into a victim site. This could, in turn, push those illegitimate scripts to visitors of that affected site. The plugin has over two million active users across the world. “This vulnerability allows any unauthenticated user from stealing sensitive information to, in this case, privilege escalation on the WordPress site by tricking privileged users to visit the crafted URL path. The described vulnerability was fixed in version 6.1.6, also fixed in version 5.12.6,” Patchstack said in a detailed report on May 5 that included an example of a payload. Security researchers at Akamai have now found that there has been a significant attack attempt within 48 hours of the sample code being posted. Threat actors have used the sample to scan for vulnerable websites that have not applied the patch or upgraded to the latest version. Response time for attackers is rapidly decreasingThe observation highlights that the response time for attackers is rapidly decreasing, increasing the need for vigorous and prompt patch management, Akamai said in the blog. “Within a number of hours following the company’s announcement of the vulnerability and the associated patch, we saw increased XSS activity. One, in particular, stood out: the PoC query itself,” Akamai said. In the immediate 48 hours after the details were published, Akamai saw a significant amount of scanning activity. This is consistent with attackers’ activity seen in other zero-day vulnerabilities as well.“It is common for security researchers, hobbyists, and companies searching for their risk profile to examine new vulnerabilities upon release. However, the volume is increasing, and the amount of time between release and said growth is drastically decreasing,” Akamai said. Attacks started within 24 hours of the POC being made public. The threat actor copied and used the sample codeIn the activity monitored by Akamai, the threat actor copied and used the Patchstack sample code from the write-up. This activity was carried out across all verticals. “This breadth of activity and the complete lack of effort to create a new exploit code tells us the threat actor is not sophisticated. The actor was scanning for vulnerable sites and attempting to exploit an easy target,” Akamai said. This shows the importance of patch management and the quick application of patches to ensure security. “As was demonstrated here, the rate of exploitation of emerging and recently disclosed vulnerabilities remains high — and is getting faster,” Akamai said, adding that this highlights the need for proper tooling to provide real-time visibility and mitigation options for these types of attacks. Older unpatched vulnerabilities give easy access to attackersThis case demonstrates the speed at which the attackers attempt to exploit unpatched vulnerabilities. Known vulnerabilities as old as 2017 are still being successfully exploited in wide-ranging attacks as organizations fail to patch or remediate them successfully, according to Tenable.State-sponsored threat actors also used the known vulnerabilities to gain initial access to government organizations and disrupt critical infrastructure, Tenable said. The security firm advised that organizations should focus on preventive cybersecurity measures rather than reactive post-event cybersecurity measures to mitigate risk. Regular updates and patches should be applied. Related content news analysis Global stability issues alter cyber threat landscape, ESET reports With conflict on the rise, regional APT groups are increasing activity, altering focus, and putting specific industries in their crosshairs. Here’s what CISOs should know. By Evan Schuman May 20, 2024 4 mins Advanced Persistent Threats Cyberattacks Threat and Vulnerability Management feature The inside story of Cyber Command’s creation Cartoons, Starbucks cards, and Hollywood storyboards: The ‘Four Horsemen of Cyber’ — CISA’s Jen Easterly, Lt. Gen. S.L. Davis, retired US Navy Vice Admiral T.J. White, and former NSA chief Paul Nakasone — revealed at RSA By Cynthia Brumfield May 20, 2024 8 mins Aerospace and Defense Industry CSO and CISO Military news analysis SEC rule for finance firms boosts disclosure requirements Amendments to Regulation S-P requires broker-dealers, investment companies, registered investment advisers, and transfer agents to disclose incidents to customers. By Evan Schuman May 17, 2024 5 mins Data Breach Financial Services Industry Data Privacy feature DDoS attacks: Definition, examples, and techniques Distributed denial of service (DDoS) attacks have been part of the criminal toolbox for over twenty years, and they’re only growing more prevalent and stronger. By Josh Fruhlinger May 17, 2024 10 mins DDoS Cyberattacks PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe