More than a Dozen WordPress Plugins Have been Updated to Patch Vulnerabilities that Allow Attackers to Inject Potentially Dangerous Commands into the Browsers of People Visiting Trusted Websites. Administrators Responsible for WordPress Sites, Should Make Sure the Fixes are Installed as Soon as Possible. The Cross-Site Scripting (XSS) Vulnerabilities, Make it Possible for Hackers to Concoct Special Address URLs that, Inject Client-Side Code into Vulnerable Webpages Viewed by Visitors. Exploits Can Steal Highly Sensitive Authentication Cookies, which Give Users Access to their Private Accounts without Having to Enter a Password. XSS Attacks Can also Change the Content Inside a Vulnerable Webpage. Along with SQL Injection Exploits, XSS Attacks are among the Most Common Class of Attacks Carried Out on the Internet.
In the Past Few Days, More than a Dozen WordPress Plugins Have been Updated to Purge XSS Vulnerabilities. According to an Advisory Published by Web Application Security Firm, Sucuri, they are:
- Jetpack
- WordPress SEO
- Google Analytics by Yoast
- All In one SEO
- Gravity Forms
- Multiple Plugins from Easy Digital Downloads
- UpdraftPlus
- WP-E-Commerce
- WPTouch
- Download Monitor
- Related Posts for WordPress
- My Calendar
- P3 Profiler
- Give
- Multiple iThemes products including Builder and Exchange
- Broken-Link-Checker
- Ninja Forms
The Vulnerabilities are the Result of Developers, Who Misused 2 Widely Used Programming Functions that, Modify or Add Query Strings to URLs, specifically add_query_arg() and remove_query_arg(). Many Developers Mistakenly Assumed the Functions would "Escape", or Sanitize User Input so, it's Safe to Use. In Fact they Don't. For the Functions to Escape User Input, they Must be Followed by Functions such as esc_url() or esc_url_raw(). The WordPress Developer Team has More Guidance, here:
https://make.wordpress.org/plugins/2015/04/20/fixing-add_query_arg-and-remove_query_arg-usage
The Plugins Listed Above, were Updated as Part of a Coordinated Response Following a Blog Post from Last Week that Brought the XSS Attack Hole to Light. Sucuri and Others then Analyzed the Top 300 or so Plugins and Notified Developers of those Plugins Found to be Vulnerable. WordPress Admins Who Use any of them, should Ensure they Have been Updated in the Past Few Days to Patch the Bug. It's Likely that, Additional WordPress Plugins Remain Vulnerable so, Admins should Scrutinize All Plugins Running on their Website, to Make Sure they Aren't Susceptible to the Same Types of Attacks.
Info Sources:
https://en.wikipedia.org/wiki/Cross-site_scripting
https://blog.sucuri.net/2015/04/security-advisory-xss-vulnerability-affecting-multiple-wordpress-plugins.html
https://jetpack.me/2015/04/20/jetpack-3-4-3-coordinated-security-update
https://yoast.com/coordinated-security-release
https://easydigitaldownloads.com/?p=500387
http://updraftplus.com/new-security-vulnerability-found-across-significant-numbers-of-wordpress-plugins-including-updraftplus
http://www.barrykooij.com/several-security-updates-released
https://www.joedolson.com/2015/04/important-security-fix-for-my-calendar
https://wordpress.org/plugins/give
https://ithemes.com/2015/04/20/coordinated-wordpress-plugin-security-update
domingo, 26 de abril de 2015
Swarm of WordPress Plugins Susceptible to Potentially Dangerous Exploits
09:23
No comments
0 comentários:
Enviar um comentário