Cross-site scripting (XSS) problems continue to plague Web pages hosted by large enterprises and major content management tools such as WordPress. It makes sense: The ability to inject code and effectively gain control of what a user can see and do on any given page is a high-water mark for most cybercriminals. WordPress in particular has faced a flood of cross-site issues despite consistent and timely updates. According to Threatpost, British company dxw Security has now discovered another set of XSS vulnerability problems in the popular CMS, all of which pose significant risk.

XSS Vulnerability Issues a Common Concern

On July 23, WordPress released version 4.2.3, which addressed a serious XSS flaw that allowed low-level users to potentially run arbitrary JavaScript code on the front end of any page, gaining complete control. CRM giant Salesforce, meanwhile, just rolled out a new patch for its own XSS issue, which stemmed from a specific application function that “failed to sanitize and filter the arbitrary input passed by the remote user as a part of an HTTP request.”

The result? Malicious actors could use JavaScript to lift cookies and session identifiers or force users to download malicious code. So it’s hardly a surprise that WordPress has yet another XSS flaw, especially given the sheer number of plugins used by companies to host a single page — and the number of actors looking for a hole in the code. Hopefully, the security firm’s recent discoveries prompt swift response.

New Risks

The first XSS risk stems from version 3.0 of WordPress’ iFrame plugin. Using this stored vulnerability could give users the power to inject the HTML code of their choosing into WordPress pages and bypass their existing privilege level. The team also discovered a reflected attack vector that could potentially compromise any pages running the get_params_from_url script and give malicious actors control.

Finally, dxw Security uncovered a flaw in Yoast’s Google Analytics plugin that allowed high-level users to attack other users by adding arbitrary bits of JavaScript code. According to Tom Adams of dxw Security, “A user with the ‘manage_options’ capability but not the ‘unfiltered_html’ capability is able to add arbitrary JavaScript to a page visible to admins.” WordPress said both the stored and reflected vulnerabilities have already been addressed by its 4.0 release, but Adams claimed that the stored plugin problem persists and users should disable it until a new version specifically addresses the flaw.

For WordPress, Salesforce and other high-profile software services, popularity is a blessing and a curse. As their user base continues to expand, so, too, does the number of threats as malicious actors look for ways to break through defenses and take control of internal and external Web services. The XSS vulnerability route remains a go-to for many cybercriminals since both platforms and plugins are typically vulnerable — and every patch introduced seems also to spur the discovery of new flaws. In the case of these new WordPress problems, the silver lining is that a security firm found them first, but there’s a critical takeaway: Don’t cross XSS off the list of likely threats just yet.

More from

Data Privacy: How the Growing Field of Regulations Impacts Businesses

The proposed rules over artificial intelligence (AI) in the European Union (EU) are a harbinger of things to come. Data privacy laws are becoming more complex and growing in number and relevance. So, businesses that seek to become — and stay — compliant must find a solution that can do more than just respond to current challenges. Take a look at upcoming trends when it comes to data privacy regulations and how to follow them. Today's AI Solutions On April…

Why Zero Trust Works When Everything Else Doesn’t

The zero trust security model is proving to be one of the most effective cybersecurity approaches ever conceived. Zero trust — also called zero trust architecture (ZTA), zero trust network architecture (ZTNA) and perimeter-less security — takes a "default deny" security posture. All people and devices must prove explicit permission to use each network resource each time they use that resource. Using microsegmentation and least privileged access principles, zero trust not only prevents breaches but also stymies lateral movement should a breach…

5 Golden Rules of Threat Hunting

When a breach is uncovered, the operational cadence includes threat detection, quarantine and termination. While all stages can occur within the first hour of discovery, in some cases, that's already too late.Security operations center (SOC) teams monitor and hunt new threats continuously. To ward off the most advanced threats, security teams proactively hunt for ones that evade the dashboards of their security solutions.However, advanced threat actors have learned to blend in with their target's environment, remaining unnoticed for prolonged periods. Based…

Third-Party App Stores Could Be a Red Flag for iOS Security

Even Apple can’t escape change forever. The famously restrictive company will allow third-party app stores for iOS devices, along with allowing users to “sideload” software directly. Spurring the move is the European Union’s (EU) Digital Markets Act (DMA), which looks to ensure open markets by reducing the ability of digital “gatekeepers” to restrict content on devices. While this is good news for app creators and end-users, there is a potential red flag: security. Here’s what the compliance-driven change means for…