XSS Vulnerability Discovered In WP Statistics WordPress Plugin

A severe cross-site scripting vulnerability may have affected hundreds of internet sites upon an exploit. The XSS vulnerability existed in WordPress plugin WP Statistics. A possible attacker may take full management of an internet site by exploiting the flaw below particular circumstances.

WP Statistics XSS Vulnerability

Researchers from Sucuri have discovered a severe XSS security flaw within the WP Statistics WordPress plugin. The flaw may enable an attacker take over an internet site below sure situations.

As acknowledged of their blog post, the vulnerability existed in the best way an internet site utilizing the plugin detects a customer’s IP handle. Notably, for web sites utilizing a firewall, an attacker could exploit this vulnerability.

As defined, with default configurations, a customer’s IP handle passes by means of the firewall to the web site. At this stage, the firewall can behave in numerous methods to move the customer’s IP handle to the web site. The handed IP handle can both stay ‘as-is’, is modified by the firewall, or the firewall could modify the IP handle, however retain the unique IP handle within the header with out modification.

Within the latter case, an adversary could intentionally ahead a malicious IP handle as a result of flaw within the plugin. As acknowledged by the researchers,

The plugin’s vulnerability is predicated on the situation the place it doesn’t sanitize or validate the person’s IP.

Nonetheless, a profitable exploit additionally relies on the plugin settings.

The vulnerability can solely be exploited when the plugin makes use of a header to establish the IP handle of the customer.

The firewall configuration also needs to favor one of many two necessities for a profitable exploit.

Both one of many following two situations should even be met for the exploit: The firewall should be bypassable. OR The firewall should depart the header as-is, if it exists.

Builders Patched The Flaw

After the researchers discovered the vulnerability, they contacted the builders on June 26, 2019. Then, following their communication, the builders launched a repair with up to date plugin model on July 1, 2019.

The vulnerability affected WP Statistics plugin variations previous to 12.6.7. The customers of this plugin should guarantee maintaining their web sites up to date with the newest plugin model (12.6.7) to remain shielded from potential exploits.

Take your time to touch upon this text.

The next two tabs change content material beneath.

Abeerah has been a passionate blogger for a number of years with a specific curiosity in direction of science and expertise. She is loopy to know all the things in regards to the newest tech developments. Figuring out and writing about cybersecurity, hacking, and spying has all the time enchanted her. When she is just not writing, what else is usually a higher pastime than net browsing and staying up to date in regards to the tech world! Attain out to me at: [email protected]

Associated