A critical vulnerability has been identified in two WordPress plugins, disable-right-click-powered-by-pixterme and pixter-image-digital-license. The plugins load a compromised JavaScript file from a third-party source, allowing attackers to inject malicious code into any website using them. This can lead to the theft of user credentials, website defacement, or the distribution of malware to site visitors, representing a severe risk to the organization and its users.

The vulnerability is a supply chain attack affecting the specified WordPress plugins. These plugins are designed to load a JavaScript file from an external Amazon S3 bucket. The ownership of this S3 bucket appears to have lapsed and was subsequently acquired by a malicious actor. The attacker has replaced the legitimate JavaScript file with a malicious one, which is now served to the web browsers of all visitors on websites running the vulnerable plugins. This allows the attacker to execute arbitrary code within the context of a visitor's browser, leading to a persistent cross-site scripting (XSS) condition that compromises all users of the affected website.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Successful exploitation poses a direct and immediate threat to business operations, reputation, and data security. An attacker can leverage this vulnerability to steal sensitive user data such as login credentials and personal information, hijack user sessions, redirect users to malicious or phishing websites, or use the visitors' browsers for cryptocurrency mining. This can result in significant financial loss, regulatory fines for data breaches, loss of customer trust, and complete compromise of the website's integrity and its user base.

Immediate Action: Immediately update the affected plugins, disable-right-click-powered-by-pixterme and pixter-image-digital-license, to the latest patched versions as recommended by the vendor. If a patched version is not available, the plugins must be disabled and uninstalled immediately to remove the threat. After taking action, review web server and application logs for any signs of compromise or unusual activity originating from the time the plugin was active.

Proactive Monitoring: Monitor outbound network traffic from web servers to identify and block any requests to the compromised S3 bucket. Implement a Web Application Firewall (WAF) with rules to detect and block malicious script injections. Regularly review website files and content for any unauthorized modifications or injected code that may persist even after the plugin is removed.

Compensating Controls: If patching or removal is not immediately possible, implement a strict Content Security Policy (CSP). A properly configured CSP can prevent the browser from loading and executing scripts from untrusted external domains, including the compromised S3 bucket, thereby mitigating the vulnerability's impact.

Public Exploit Available: true

Given the critical CVSS score of 9.8 and active exploitation, this vulnerability requires immediate and urgent attention. We recommend treating this as an emergency and applying the remediation plan without delay. Organizations must either update the affected plugins to a secure version or, if no update is available, disable and uninstall them immediately. Although not yet listed on the CISA KEV catalog, its active exploitation status indicates a high probability of widespread impact, posing a severe and ongoing risk to the organization and its customers.