August 14, 2015 By Douglas Bonderud 2 min read

Cross-site scripting (XSS) problems continue to plague Web pages hosted by large enterprises and major content management tools such as WordPress. It makes sense: The ability to inject code and effectively gain control of what a user can see and do on any given page is a high-water mark for most cybercriminals. WordPress in particular has faced a flood of cross-site issues despite consistent and timely updates. According to Threatpost, British company dxw Security has now discovered another set of XSS vulnerability problems in the popular CMS, all of which pose significant risk.

XSS Vulnerability Issues a Common Concern

On July 23, WordPress released version 4.2.3, which addressed a serious XSS flaw that allowed low-level users to potentially run arbitrary JavaScript code on the front end of any page, gaining complete control. CRM giant Salesforce, meanwhile, just rolled out a new patch for its own XSS issue, which stemmed from a specific application function that “failed to sanitize and filter the arbitrary input passed by the remote user as a part of an HTTP request.”

The result? Malicious actors could use JavaScript to lift cookies and session identifiers or force users to download malicious code. So it’s hardly a surprise that WordPress has yet another XSS flaw, especially given the sheer number of plugins used by companies to host a single page — and the number of actors looking for a hole in the code. Hopefully, the security firm’s recent discoveries prompt swift response.

New Risks

The first XSS risk stems from version 3.0 of WordPress’ iFrame plugin. Using this stored vulnerability could give users the power to inject the HTML code of their choosing into WordPress pages and bypass their existing privilege level. The team also discovered a reflected attack vector that could potentially compromise any pages running the get_params_from_url script and give malicious actors control.

Finally, dxw Security uncovered a flaw in Yoast’s Google Analytics plugin that allowed high-level users to attack other users by adding arbitrary bits of JavaScript code. According to Tom Adams of dxw Security, “A user with the ‘manage_options’ capability but not the ‘unfiltered_html’ capability is able to add arbitrary JavaScript to a page visible to admins.” WordPress said both the stored and reflected vulnerabilities have already been addressed by its 4.0 release, but Adams claimed that the stored plugin problem persists and users should disable it until a new version specifically addresses the flaw.

For WordPress, Salesforce and other high-profile software services, popularity is a blessing and a curse. As their user base continues to expand, so, too, does the number of threats as malicious actors look for ways to break through defenses and take control of internal and external Web services. The XSS vulnerability route remains a go-to for many cybercriminals since both platforms and plugins are typically vulnerable — and every patch introduced seems also to spur the discovery of new flaws. In the case of these new WordPress problems, the silver lining is that a security firm found them first, but there’s a critical takeaway: Don’t cross XSS off the list of likely threats just yet.

More from

Cybersecurity dominates concerns among the C-suite, small businesses and the nation

4 min read - Once relegated to the fringes of business operations, cybersecurity has evolved into a front-and-center concern for organizations worldwide. What was once considered a technical issue managed by IT departments has become a boardroom topic of utmost importance. With the rise of sophisticated cyberattacks, the growing use of generative AI by threat actors and massive data breach costs, it is no longer a question of whether cybersecurity matters but how deeply it affects every facet of modern operations.The 2024 Allianz Risk…

Autonomous security for cloud in AWS: Harnessing the power of AI for a secure future

3 min read - As the digital world evolves, businesses increasingly rely on cloud solutions to store data, run operations and manage applications. However, with this growth comes the challenge of ensuring that cloud environments remain secure and compliant with ever-changing regulations. This is where the idea of autonomous security for cloud (ASC) comes into play.Security and compliance aren't just technical buzzwords; they are crucial for businesses of all sizes. With data breaches and cyber threats on the rise, having systems that ensure your…

Adversarial advantage: Using nation-state threat analysis to strengthen U.S. cybersecurity

4 min read - Nation-state adversaries are changing their approach, pivoting from data destruction to prioritizing stealth and espionage. According to the Microsoft 2023 Digital Defense Report, "nation-state attackers are increasing their investments and launching more sophisticated cyberattacks to evade detection and achieve strategic priorities."These actors pose a critical threat to United States infrastructure and protected data, and compromising either resource could put citizens at risk.Thankfully, there's an upside to these malicious efforts: information. By analyzing nation-state tactics, government agencies and private enterprises are…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today