Hackers target 1.5M WordPress sites with cookie consent plugin exploit


Ongoing attacks are targeting an Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability in a WordPress cookie consent plugin named Beautiful Cookie Consent Banner with more than 40,000 active installs.

In XSS attacks, threat actors inject malicious JavaScript scripts into vulnerable websites that will execute within the visitors’ web browsers.

The impact can include unauthorized access to sensitive information, session hijacking, malware infections via redirects to malicious websites, or a complete compromise of the target’s system.

WordPress security company Defiant, which spotted the attacks, says the vulnerability in question also allows unauthenticated attackers to create rogue admin accounts on WordPress websites running unpatched plugin versions (up to and including 2.10.1).

The security flaw exploited in this campaign was patched in January with the release of version 2.10.2.

“According to our records, the vulnerability has been actively attacked since February 5, 2023, but this is the largest attack against it that we have seen,” threat analyst Ram Gall said.

“We have blocked nearly 3 million attacks against more than 1.5 million sites, from nearly 14,000 IP addresses since May 23, 2023, and attacks are ongoing.”

Blocked attacksBlocked attacks (Wordfence)

​Despite the large-scale nature of this ongoing attack campaign, Gall says the threat actor uses a misconfigured exploit that would likely not deploy a payload even when targeting a WordPress site running a vulnerable plugin version.

Even so, admins or owners of websites using the Beautiful Cookie Consent Banner plugin are advised to update it to the latest version because even a failed attack could corrupt the plugin’s configuration stored in the nsc_bar_bannersettings_json option.

The plugin’s patched versions have also been updated to repair itself in the event that the website was targeted in these attacks.

While the current wave of attacks might not be able to inject websites with a malicious payload, the threat actor behind this campaign could address this issue at any time and potentially infect any sites that remain exposed.

Last week, threat actors also started probing the internet for WordPress websites running vulnerable versions of the Essential Addons for Elementor and WordPress Advanced Custom Fields plugins.

The campaigns started after the release of proof-of-concept (PoC) exploits, allowing unauthenticated attackers to hijack websites after resetting admin passwords and gaining privileged access, respectively.


  • PluginVulns Photo PluginVulns – 3 days ago

    What isn't mentioned in your story is that the vulnerability in question was a zero-day that was originally exploited in January before it was fixed. We ran across a discussion about that exploitation and identified the issue,, which we later confirmed was what was being exploited. We then worked with the developer to get it promptly fixed. This was widely exploited at the time, so it is unlikely there are many, if any, websites that haven't already been hacked if they are still running a vulnerable version.

    What is rather notable here is that your source for this story, Wordfence, had incorrectly claimed the vulnerability had been fixed months before it was fixed. Two other providers, WPScan and Patchstack had also claimed it had been fixed at the time. Wordfence also failed to pick up on the exploitation until days after it had been fixed.

    We also were hired by the developer to do a security review,, to make sure the plugin got fully secured.

    In March we tested to see if WordPress security plugins would protect against exploitation of the vulnerability and found that only 25% did:


Related posts

Russians hacked JFK airport’s taxi dispatch system for profit

Sarah Henriquez

Iranian hackers use new Moneybird ransomware to attack Israeli orgs

Sarah Henriquez

Medusa ransomware claims attack on Open University of Cyprus

Sarah Henriquez

Leave a Comment