Login

Tag Archives: Authenticated Persistent Cross-Site Scripting (XSS)

17 Oct 2022

Authenticated Persistent Cross-Site Scripting (XSS) Vulnerability in Responsive Lightbox & Gallery

Over the weekend, a forum topic was created for the WordPress plugin Responsive Lightbox & Gallery about Wordfence claiming there was a vulnerability in the plugin:

Hi, I have just received a critical error in my wordfence dashboard that
‘The Plugin “Responsive Lightbox” has a security vulnerability … To protect your site from this vulnerability, the safest option is to deactivate and completely remove “Responsive Lightbox” until a patched version is available
Issue Found October 13, 2022 08:54’
Do you have a patch for this error, as the site is now vulnerable, and as I do like this plugin I do not want to remove it. [Read more]

3 Aug 2022

is_admin() Again Leads to WordPress Plugin Containing Vulnerability That Hackers Would Exploit

A recent review of the WordPress plugin Pop-up suggested the plugin is insecure:

I tested this plugin, its says its free, i tried to inject code to my site… then i understood if they want they can inject any malicious code to your website by using this plugin… you are clicking launch code on external website, and this plugin will upload a a code to your website based on email address registered on both site. so if you are using sensitive website dont even try this plugin [Read more]

16 Jun 2022

Essential Addons for Elementor Again Appears to Have Unintentionally Fixed an Authenticated Persistent XSS Vulnerability

We have recently been testing to see if we can improve our ability to detect vulnerabilities being introduced and fixed in WordPress plugins using machine learning. One of our interests in doing that is so that we can better deal with situation where developers don’t disclose that they are fixing or attempting to vulnerabilities in their plugins. That appears to have happened again with one of the most popular WordPress plugins, Essential Addons for Elementor, which has 1+ million active installs according to WordPress.

Like the previous instance three weeks ago, the developer fixed an authenticated persistent cross-site scripting (XSS) vulnerability without disclosing it and possibly without knowing they were fixing it. Like last time, they also didn’t fully address the underlying insecurity. This time, it involves the Event Calendar element. The changelog for the version this was fixed in contains several entries for that element: [Read more]

26 May 2022

1+ Million Install WordPress Plugin Essential Addons for Elementor Unintentionally Fixed Two Instances of Vulnerability, Another Instance Remained

We have recently been testing to see if we can improve our ability to detect vulnerabilities being introduced and fixed in WordPress plugins using machine learning. One of our interests in doing that is so that we can better deal with situation where developers don’t disclose that they are fixing or attempting to vulnerabilities in their plugins. That appears to have happened with the version of one of the most popular WordPress plugins, Essential Addons for Elementor, which has 1+ million active installs according to WordPress, that was released yesterday.

One of the machine learning models we are testing flagged the changes to the PHP code being made in that as having fixed a vulnerability. There is a changelog entry that indicates that a security change was being made to the plugin: [Read more]

28 Apr 2022

WordPress Security Plugin WordPress HTTPS Contains Authenticated Persistent XSS Vulnerability

Yesterday we ran across a vague claim that the WordPress security plugin WordPress HTTPS, which has 50,000+ installs, might have a security vulnerability that is involved in hacks of website. The source isn’t a reliable one (despite being the developer of a popular security plugin) and they didn’t provide any information to back that up. In checking over the plugin, we quickly found a reasonably serious vulnerability, though one that seems unlikely to be connected with the hacking claim being made.

We tested and confirmed that our firewall plugin for WordPress protected against the vulnerability even before we discovered it, as part of its protection against zero-day vulnerabilities. [Read more]

13 Apr 2022

Recently Closed WordPress Plugin with 50,000+ Installs Contains Authenticated Persistent XSS Vulnerability

On Monday, the WordPress plugin Slideshow was closed on WordPress Plugin Directory. Because that is one of the 1,000 most popular plugins in that directory (it has 50,000+ installs), our systems warned us about the closure and we started checking over the plugin to see if there was a vulnerability we should warn customers of our services about. What we found was that it at least contains an authenticated persistent cross-site scripting (XSS) vulnerability.

When creating or editing one of the plugin’s slideshows, there are text inputs in the Slideshows Settings for which there isn’t proper sanitization, validation, and or escaping. Malicious JavaScript can be saved in to at least some of those and then it will be output, which is authenticated persistent XSS vulnerability.  If that were limited to users with the unfiltered_html capability, that wouldn’t be a vulnerability (but would still be a security issue), but by default the plugin allows users with the Author role access to that and they don’t have that capability. [Read more]