August 14, 2015 By Douglas Bonderud 2 min read

Cross-site scripting (XSS) problems continue to plague Web pages hosted by large enterprises and major content management tools such as WordPress. It makes sense: The ability to inject code and effectively gain control of what a user can see and do on any given page is a high-water mark for most cybercriminals. WordPress in particular has faced a flood of cross-site issues despite consistent and timely updates. According to Threatpost, British company dxw Security has now discovered another set of XSS vulnerability problems in the popular CMS, all of which pose significant risk.

XSS Vulnerability Issues a Common Concern

On July 23, WordPress released version 4.2.3, which addressed a serious XSS flaw that allowed low-level users to potentially run arbitrary JavaScript code on the front end of any page, gaining complete control. CRM giant Salesforce, meanwhile, just rolled out a new patch for its own XSS issue, which stemmed from a specific application function that “failed to sanitize and filter the arbitrary input passed by the remote user as a part of an HTTP request.”

The result? Malicious actors could use JavaScript to lift cookies and session identifiers or force users to download malicious code. So it’s hardly a surprise that WordPress has yet another XSS flaw, especially given the sheer number of plugins used by companies to host a single page — and the number of actors looking for a hole in the code. Hopefully, the security firm’s recent discoveries prompt swift response.

New Risks

The first XSS risk stems from version 3.0 of WordPress’ iFrame plugin. Using this stored vulnerability could give users the power to inject the HTML code of their choosing into WordPress pages and bypass their existing privilege level. The team also discovered a reflected attack vector that could potentially compromise any pages running the get_params_from_url script and give malicious actors control.

Finally, dxw Security uncovered a flaw in Yoast’s Google Analytics plugin that allowed high-level users to attack other users by adding arbitrary bits of JavaScript code. According to Tom Adams of dxw Security, “A user with the ‘manage_options’ capability but not the ‘unfiltered_html’ capability is able to add arbitrary JavaScript to a page visible to admins.” WordPress said both the stored and reflected vulnerabilities have already been addressed by its 4.0 release, but Adams claimed that the stored plugin problem persists and users should disable it until a new version specifically addresses the flaw.

For WordPress, Salesforce and other high-profile software services, popularity is a blessing and a curse. As their user base continues to expand, so, too, does the number of threats as malicious actors look for ways to break through defenses and take control of internal and external Web services. The XSS vulnerability route remains a go-to for many cybercriminals since both platforms and plugins are typically vulnerable — and every patch introduced seems also to spur the discovery of new flaws. In the case of these new WordPress problems, the silver lining is that a security firm found them first, but there’s a critical takeaway: Don’t cross XSS off the list of likely threats just yet.

More from

Widespread exploitation of recently disclosed Ivanti vulnerabilities

6 min read - IBM X-Force has assisted several organizations in responding to successful compromises involving the Ivanti appliance vulnerabilities disclosed in January 2024. Analysis of these incidents has identified several Ivanti file modifications that align with current public reporting. Additionally, IBM researchers have observed specific attack techniques involving the theft of authentication token data not readily noted in current public sources. The blog details the results of this research to assist organizations in protecting against these threats. Key Findings: IBM research teams have…

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

How I got started: Cyber AI/ML engineer

3 min read - As generative AI goes mainstream, it highlights the increasing demand for AI cybersecurity professionals like Maria Pospelova. Pospelova is currently a senior data scientist, and data science team lead at OpenText Cybersecurity. She also worked at Interest, an AI cybersecurity company acquired by MicroFocus and then by OpenText. She continues as part of that team today.Did you go to college? What did you go to school for?Pospelova: I graduated with a bachelor’s degree in computer science and a master’s degree…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today