Hacked WordPress sites use visitors' browsers to hack other sites
Hacked WordPress sites use visitors' browsers to hack other sites
Hackers are conducting widescale attacks on WordPress sites to inject scripts that force visitors' browsers to bruteforce passwords for other sites.
Summary
Hackers are compromising WordPress sites to inject malicious scripts. These scripts can either steal cryptocurrency from visitors' wallets or hijack their browsers to launch brute-force attacks against other websites. The hackers are likely building a larger pool of compromised sites to launch more extensive attacks in the future.
will cause the visitor's browser to quietly upload a file using the WordPress site's XMLRPC interface
It's absurd that XMLRPC is still not disabled by default.
It's been an unnecessary weak point in the attack surface for many years.