Nearly 1 million WordPress sites are being hit by what is likely a single threat actor attempting to inject a redirect into the sites by exploiting a cross site scripting vulnerability.

The attacks were discovered by the WordFence Threat Intelligence Team, which noted that since April 28 the number of XSS attacks has been 30 times its normal rate. The team believes a single actor is behind the attacks based on the fact that the same payload is used in each attack. The payload is a malicious JavaScript that redirects visitors and takes advantage of an administrator’s session to insert a backdoor into the theme’s header.

Ameet Naik, security evangelist at PerimeterX, noted that an XSS attack, while being used for a redirect here, can lead to more serious issues.

“Attackers can use XSS vulnerabilities to gain privileged access to a website and plant malicious JavaScript code that can steal user data, spread malware or hijack users to nefarious sites. Such techniques have been used to launch Magecart attacks against thousands of e-commerce sites resulting in the theft of millions of credit card numbers,” he told SC Media.

The scale of the attacks is staggering. WordFence believes the malicious actor may have launched a few small-scale attacks before April 28 ,but has since massively increased the number of incidents with 20 million attacks attempted against more than 500,000 individual sites on May 3 alone.

WordPress plugins have been the focus of many attacks, but this campaign is by far the largest spotted.

“Over the course of the past month in total, we’ve detected over 24,000 distinct IP addresses sending requests matching these attacks to over 900,000 sites,” the team reported.

The attacks are targeting five WordPress plugins — some of which have been discontinued, but are still in use by certain site operators — with vulnerabilities that may have not yet been patched by users. These include an XSS vulnerability in Easy2Map, a plugin with only 3,000 installs, which was pulled from the WordPress repository in August 2019, but was the focus of about half of the current attacks. Also targeted was an options update vulnerability in the plugin Total Donations, which was removed from the Envato Marketplace in early 2019.

These are an XSS vulnerability in Easy2Map, a plugin with only 3,000 installs, which was pulled from the WordPress repository in August 2019 but was the focus of about half of the current attacks. Also removed from availability, but targeted was the plugin Total Donations, which options update vulnerability.

Blog Designer, which currently has only about 1,000 installs still active, had its XSS vulnerability patched in 2019 in Blog Designer which was patched in 2019.

The options update vulnerability in WP GDPR Compliance patched in late 2018 which would allow attackers to change the site’s home URL This plugin has 100,000 installs, but 95 percent have already received the updated.

Finally, the XSS vulnerability in Newspaper which was patched in 2016 was included.