An ongoing malvertising campaign is targeting an unauthenticated stored cross-site scripting (XSS) vulnerability in the Coming Soon Page & Maintenance Mode WordPress plugin according to Wordfence's Defiant Threat Intelligence team.

The now patched flaw allows unauthenticated attackers to inject JavaScript or HTML code into the blog front-end of WordPress sites running the plugin's version 1.7.8 or below.

The malvertising campaign detected by Wordfence causes compromised WordPress sites "to display unwanted popup ads and redirect visitors to malicious destinations, including tech support scams, malicious Android APKs, and sketchy pharmaceutical ads."

Malicious redirects and popup ads

The JavaScript payload used to infect the sites will load additional code from other third-party domains to construct the full malicious payload that gets executed for visitors of infected websites.

On each payload execution, the targets will be automatically redirected to a second domain that sends them to a third destination URL based on the type of device the visitor uses by checking the browser's User-Agent string, with a cookie also used to track returning victims.

JavaScript payload redirect

"The eventual destination sites vary in scope and intent. Some redirects land users on typical illegitimate ads for pharmaceuticals and pornography, while others attempt direct malicious activity against the user’s browser," found Wordfence.

Attackers also leverage popup ads as an alternate method to abuse their targets, with code injections sourced from previously compromised sites as well as JavaScript-based scripts stored on infected sites abused as part of this malvertising campaign being employed to inject the ads.

XSS attacks launched via webshells

"Once everything has triggered, the victim’s browser will open a selected address in a new tab the next time they click or tap the page," adds Wordfence.

The XSS injection attacks launched by the threat actors operating this campaign are originating from IP addresses connected to popular hosting providers, obfuscated PHP shells with limited functionality being employed by the attackers to launch XSS attacks by proxy via arbitrary commands.

Webshell found on infected WordPress site

Attackers are "using a small array of compromised sites to perform these attacks in order to conceal the source of their activities" and they will most likely "leverage any similar XSS vulnerabilities that may be disclosed in the near future," Wordfence concludes.

More details on the inner workings of these attacks, as well as indicators of compromised (IOCs) including malware hashes, domains, and attacking IP addresses, are provided by the Defiant Threat Intelligence team at the end of their malvertising campaign report.

Previous campaigns targeting WordPress sites

This is not a novel campaign, with similar campaigns exploiting vulnerabilities in the Social Warfare, Yellow Pencil Visual Theme Customizer, Easy WP SMTP, and Yuzo Related Posts plugins installed on tens of thousands of WordPress sites.

In the case of those attacks, the exploits were also using malicious scripts hosted on an attacker-controlled domain, with the same bad actor being behind all four campaigns.

In December 2018, a large botnet consisting of over 20,000 WordPress sites was used to attack and infect other WordPress websites which were also added to the botnet once compromised.

The botnet was used by its operators to brute force the logins of other WordPress sites, with over 5 million authentication brute-force attempts being blocked and over 14,000 proxy servers used to anonymize their C2 commands being detected during the attacks.