Over a million developers have joined DZone.

More XSS Flaws Are Being Patched in WordPress Plugins

DZone's Guide to

More XSS Flaws Are Being Patched in WordPress Plugins

Not long ago, WordPress Administrators were urged to update the popular All In One SEO plugin to address a cross-site scripting exploit. Let's dig a littler deeper into why WordPress Plugins are often easily exploitable.

· Web Dev Zone ·
Free Resource

Learn how error monitoring with Sentry closes the gap between the product team and your customers. With Sentry, you can focus on what you do best: building and scaling software that makes your users’ lives better.

Do you remember my statement of how plugins leave open doors into the WordPress core in my article about the All In One SEO plugin being vulnerable?

Well not long ago, WordPress Administrators were urged to update the popular All In One SEO plugin to address a cross-site scripting exploit. Now other widely used plugins are needing to be updated.

WordPress’s plugin model could be called its greatest asset, and yet, it is also the open door to exploits, vulnerabilities, and ways to hack into a web server. Administrators can easily find plugins for this-and-that feature to enhance their WordPress based sites. Once the plugin is downloaded, it’s easily installed. However—way more often than not—the plugins are poorly coded and usually not updated often. This allows hackers to gain access into the websites because of the plugin source code not being security-minded when coded.

The WordPress Core—without any plugins installed—is pretty secure. But, when a plugin is installed with the core, hackers can uncover a vulnerability in one of the plugins.

It turns out All-in-One wasn’t the only vulnerable plugin found by Summer of Pwnage, a Dutch community project working on uncovering vulnerabilities in popular applications. The project posted advisories on a dozen or so other XSS vulnerabilities in widely used WordPress plugins nearly a month ago.

The remaining plugins on this list had a cross-site scripting vulnerability that would allow an attacker to perform a variety of actions, such as stealing Administrator session tokens and performing arbitrary actions on the website with Administrator privileges.The flaws could be exploited by tricking WordPress administrators who were logged in to open a malicious site.

All-in-One was vulnerable because the plugin failed to properly sanitize the requests, which let attackers inject malicious JavaScript code in the request headers. The vulnerability in all the other plugins was the result of a lack of output encoding on the page request parameter.

Not sanitizing inputs and outputs is a common enough mistake in coding. WordPress normally validates this parameter to shut down cross-site scripting, but didn’t in these instances because of the way the parameter value was set.

Hackers like to target WordPress sites more thanks to the vulnerabilities in third-party plugins. Plenty of administrators, in my experience, neglect to patch WordPress core and plugins. Even those diligent about staying on top of the core updates may forget to update the plugins, or opt not to because they don’t want the updated plugins to break existing functionality.

When plugins are no longer being actively maintained, the administrator may decide to keep using the plugin instead of looking for an alternative. There are many reasons for still using outdated plugins, but the bottom line is that they provide attackers with a simple way to compromise and seize control of the WordPress site.

What’s the best way to boost the efficiency of your product team and ship with confidence? Check out this ebook to learn how Sentry's real-time error monitoring helps developers stay in their workflow to fix bugs before the user even knows there’s a problem.

core ,scripting ,wordpress plugins ,seo ,administrators ,hackers

Published at DZone with permission of

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}