Accelerated Cell Pages WordPress plugin, with over 100,000 installations, patched a medium severity vulnerability that would enable an attacker to inject malicious scripts to be executed by web site guests.
Cross-Website Scripting By way of Shortcode
A cross-site scripting (XSS) is among the most frequent type of vulnerability. Within the context of WordPress plugins, XSS vulnerabilities occur when a plugin has a option to enter knowledge that isn’t sufficiently secured by a course of that validates or sanitizes person inputs.
Sanitization is a option to block undesirable sorts of enter. For instance, if a plugin permits a person so as to add textual content by means of an enter subject, then it also needs to sanitize the rest that’s enter into that kind that doesn’t belong, like a script or a zipper file.
A shortcode is a WordPress characteristic that permits customers to insert a tag that appears like this [example] inside posts and pages. Shortcodes embed functionalities or content material that’s offered by a plugin. This enables customers to configure a plugin by means of an admin panel then copy and paste a shortcode right into a put up or web page the place they need the plugin performance to look.
A “cross-site scripting by way of shortcode” vulnerability is a safety flaw that permits an attacker to inject malicious scripts into an internet site by exploiting the shortcode operate of the plugin.
In response to a report not too long ago revealed by the Patchstack WordPress safety firm:
“This might enable a malicious actor to inject malicious scripts, equivalent to redirects, ads, and different HTML payloads into your web site which can be executed when friends go to your website.
This vulnerability has been mounted in model 1.0.89.”
Wordfence describes the vulnerability:
“Accelerated Cell Pages plugin for WordPress is susceptible to Saved Cross-Website Scripting by way of the plugin’s shortcode(s) in all variations as much as, and together with, 1.0.88.1 attributable to inadequate enter sanitization and output escaping on person equipped attributes.”
Wordfence additionally clarifies that that is an authenticated vulnerability which for this particular exploit implies that a hacker wants a minimum of a contributor permission degree with the intention to benefit from the vulnerability.
This exploit is rated by Patchstack as a medium severity degree vulnerability, scoring a 6.5 on a scale of 1-10 (with ten being essentially the most extreme).
It’s suggested that customers test their installations in order that they’re patched to a minimum of model 1.0.89.
Learn the Patchstack report right here:
WordPress Accelerated Cell Pages Plugin <= 1.0.88.1 is susceptible to Cross Website Scripting (XSS)
Learn the Wordfence announcement right here:
Accelerated Cell Pages <= 1.0.88.1 – Authenticated (Contributor+) Saved Cross-Website Scripting by way of shortcode
Featured Picture by Shutterstock/pedrorsfernandes