Over the past week a massive campaign has been detected, in which the attackers attempted to hijack more than 900,000 WordPress sites in order to inject a malicious JavaScript that redirects visitors to malvertising sites or takes advantage of an administrator’s session to plant a PHP backdoor.

A sudden rise in attacks targeting Cross-Site Scripting (XSS) vulnerabilities in WordPress sites has been detected on April 28, 2020 and increased over the next few days to approximately 30 times, the researchers fr om cyber-security firm Wordfence said. The experts believe that the majority of these attacks have been conducted by a single threat actor.

In addition to XSS vulnerabilities in WordPress plugins, the hackers leveraged other flaws, mostly older issues allowing them to change a site’s home URL to the same domain used in the XSS payload in order to redirect visitors to malvertising sites.

“While our records show that this threat actor may have sent out a smaller volume of attacks in the past, it’s only in the past few days that they’ve truly ramped up, to the point wh ere more than 20 million attacks were attempted against more than half a million individual sites on May 3, 2020. Over the course of the past month in total, we’ve detected over 24,000 distinct IP addresses sending requests matching these attacks to over 900,000 sites,” the researchers said.

The most targeted vulnerabilities are listed below:

• An XSS vulnerability in the Easy2Map plugin, which was removed from the WordPress plugin repository in August of 2019. Wordfence estimates it is installed on less than 3,000 sites. This accounted for more than half of all of the attacks.

• An XSS vulnerability in Blog Designer which was patched in 2019. Wordfence says that no more than 1,000 vulnerable installations remain, though this vulnerability was the target of previous campaigns.

• An options update vulnerability in WP GDPR Compliance patched in late 2018 which would allow attackers to change the site’s home URL in addition to other options. Although this plugin has more than 100,000 installations, Wordfence estimates that no more than 5,000 vulnerable installations remain.

• An options update vulnerability in Total Donations which would allow attackers to change the site’s home URL. This plugin was removed permanently from the Envato Marketplace in early 2019, and it is estimated that less than 1,000 total installations remain.

• An XSS vulnerability in the Newspaper theme which was patched in 2016. This vulnerability has also been targeted in the past.

“Although it is not readily apparent why these vulnerabilities were targeted, this is a large scale campaign that could easily pivot to other targets,” Wordfence pointed out.

WordPress website owners are recommended to update themes and plugins installed on their sites, deactivate and delete any plugins that have been removed from the WordPress plugin repository and install a website application firewall (WAF) plugin to protect websites from attacks.