Home Articles How a Stored XSS in WP Plugin Allowed Automated Takeovers

How a Stored XSS in WP Plugin Allowed Automated Takeovers

86
0

Recently, a vulnerability addressed in the WP Product Review Lite plugin could be abused by unauthenticated attackers to hack websites. Read on to know more about it…

Recently, a vulnerability addressed in the WP Product Review Lite plugin in WordPress could be abused by unauthenticated attackers to hack websites. WP Product Review Lite is designed for creating product reviews on WordPress websites. It supports the creation of a top products review widget and also allows monetization through the addition of a “buy now” button in posts. The plugin has more than 40,000 installations.

The Vulnerability
The vulnerability was discovered by researchers at Sucuri Labs, it is a persistent XSS that could be exploited by remote, unauthenticated attackers. “During a routine research audit for our Sucuri Firewall, we discovered an Unauthenticated Persistent Cross-Site Scripting (XSS) affecting 40,000+ users of the WP Product Review plugin.” reads the analysis published by Sucuri.

“All user input data is sanitized but the WordPress function used can be bypassed when the parameter is set inside an HTML attribute. A successful attack results in malicious scripts being injected in all the site’s products.”

Last week, the team of developers behind the plugin addressed an unauthenticated persistent Cross-Site Scripting (XSS) vulnerability that could have been exploited to inject code into all of a website’s product pages.

Attackers can bypass the WordPress user input data sanitization function to exploit the Stored Cross-Site Scripting (Stored XSS) issue. Upon triggering the flaw, the attackers could inject malicious scripts in all the products stored in the database of the targeted website. The issue, Sucuri security researchers explain, is that, although all user input data is sanitized, one of the employed WordPress functions can be bypassed if the attacker sets a parameter inside an HTML attribute. “A successful attack results in malicious scripts being injected in all the site’s products,” the researchers explain.

An attacker could trick a site admin into accessing the compromised products, then they could redirect them to a rogue site, or steal the session cookies to authenticate on behalf of the administrator. Once the attacker has authenticated as an admin, it could add a new admin account to take over the site.

An attack can be launched without authentication, which means that threat actors can automate attacks, Sucuri warns. This makes it easy for cybercriminals to mount attacks against a large number of vulnerable websites. “The number of active installs, the ease of exploitation, and the effects of a successful attack are what makes this vulnerability particularly dangerous,” Sucuri’s researchers note.

Researchers at the Sucuri Labs revealed that they are not aware of any attacks in the wild exploiting the flaw.

Mitigation
Sucuri reported the vulnerability on May 13 and a patch was released the next day, with version 3.7.6 of WP Product Review Lite. While no active exploitation attempts have been observed, the security researchers recommend that site admins upgrade to the patched version as soon as possible, as older iterations of the plugin remain vulnerable to attacks and potential compromise.

“Unauthenticated attacks are very serious because they can be automated, making it easy for hackers to mount successful, widespread attacks against vulnerable websites,” Sucuri Labs conclude. “The number of active installs, the ease of exploitation, and the effects of a successful attack are what makes this vulnerability particularly dangerous.”

LEAVE A REPLY

Please enter your comment!
Please enter your name here

53 − = 48