More XSS Flaws Are Being Patched in WordPress Plugins

Do you remember my statement of how plugins leave open doors into the WordPress core in my article about the All In One SEO plugin being vulnerable?

Just a few days ago, WordPress Administrators were urged to update the popular All In One SEO plugin to address a cross-site scripting exploit. Now other widely used plugins are needing to be updated.

WordPress’s plugin model could be called the greatest asset and the open door to exploits, vulnerabilities, and ways to hack into a web server. Administrators can easily find plugins for this and that feature to enhance their WordPress based sites. Once the plugin is downloaded, it’s easily installed. However — way more often than not — the plugins are poorly coded and usually not updated often. This allows hackers to gain access into the websites because of the plugin source code not being security minded when coded.

The WordPress Core — without any plugins installed — can be said that it is pretty secure. When a plugin is installed with the core, hackers can uncover a vulnerability in one of the plugins.

It turns out All-in-One wasn’t the only vulnerable plugin found by Summer of Pwnage, a Dutch community project working on uncovering vulnerabilities in popular applications. The project posted advisories on a dozen or so other XSS vulnerabilities in widely used WordPress plugins this week.

The remaining plugins on this list had a cross-site scripting vulnerability that would allow an attacker to perform a variety of actions, such as stealing Administrator session tokens and performing arbitrary actions on the website with Administrator privileges.The flaws could be exploited by tricking WordPress administrators who were logged in to open a malicious site.

All-in-One was vulnerable because the plugin failed to properly sanitize the requests, which let attackers inject malicious JavaScript code in the request headers. The vulnerability in all the other plugins was the result of a lack of output encoding on the page request parameter.

Not sanitizing inputs and outputs is a common enough mistake in coding. WordPress normally validates this parameter to shut down cross-site scripting, but didn’t in these instances because of the way the parameter value was set.

Hackers like to target WordPress sites more thanks to the vulnerabilities in third-party plugins. Plenty of administrators, in my experience, neglect to patch WordPress core and plugins. Even those diligent about staying on top of the core updates may forget to update the plugins, or opt not to because they don’t want the updated plugins to break existing functionality.

When plugins are no longer being actively maintained, the administrator may decide to keep using the plugin instead of looking for an alternative. There are many reasons for still using outdated plugins, but the bottom line is that they provide attackers with a simple way to compromise and seize control of the WordPress site.


Categories: Programming, Security

Tags: , , , , , , , , , , ,

%d bloggers like this: