August 14, 2015 By Douglas Bonderud 2 min read

Cross-site scripting (XSS) problems continue to plague Web pages hosted by large enterprises and major content management tools such as WordPress. It makes sense: The ability to inject code and effectively gain control of what a user can see and do on any given page is a high-water mark for most cybercriminals. WordPress in particular has faced a flood of cross-site issues despite consistent and timely updates. According to Threatpost, British company dxw Security has now discovered another set of XSS vulnerability problems in the popular CMS, all of which pose significant risk.

XSS Vulnerability Issues a Common Concern

On July 23, WordPress released version 4.2.3, which addressed a serious XSS flaw that allowed low-level users to potentially run arbitrary JavaScript code on the front end of any page, gaining complete control. CRM giant Salesforce, meanwhile, just rolled out a new patch for its own XSS issue, which stemmed from a specific application function that “failed to sanitize and filter the arbitrary input passed by the remote user as a part of an HTTP request.”

The result? Malicious actors could use JavaScript to lift cookies and session identifiers or force users to download malicious code. So it’s hardly a surprise that WordPress has yet another XSS flaw, especially given the sheer number of plugins used by companies to host a single page — and the number of actors looking for a hole in the code. Hopefully, the security firm’s recent discoveries prompt swift response.

New Risks

The first XSS risk stems from version 3.0 of WordPress’ iFrame plugin. Using this stored vulnerability could give users the power to inject the HTML code of their choosing into WordPress pages and bypass their existing privilege level. The team also discovered a reflected attack vector that could potentially compromise any pages running the get_params_from_url script and give malicious actors control.

Finally, dxw Security uncovered a flaw in Yoast’s Google Analytics plugin that allowed high-level users to attack other users by adding arbitrary bits of JavaScript code. According to Tom Adams of dxw Security, “A user with the ‘manage_options’ capability but not the ‘unfiltered_html’ capability is able to add arbitrary JavaScript to a page visible to admins.” WordPress said both the stored and reflected vulnerabilities have already been addressed by its 4.0 release, but Adams claimed that the stored plugin problem persists and users should disable it until a new version specifically addresses the flaw.

For WordPress, Salesforce and other high-profile software services, popularity is a blessing and a curse. As their user base continues to expand, so, too, does the number of threats as malicious actors look for ways to break through defenses and take control of internal and external Web services. The XSS vulnerability route remains a go-to for many cybercriminals since both platforms and plugins are typically vulnerable — and every patch introduced seems also to spur the discovery of new flaws. In the case of these new WordPress problems, the silver lining is that a security firm found them first, but there’s a critical takeaway: Don’t cross XSS off the list of likely threats just yet.

More from

Regulatory harmonization in OT-critical infrastructure faces hurdles

3 min read - In an effort to enhance cyber resilience across critical infrastructure, the Office of the National Cyber Director (ONCD) has recently released a summary of feedback from its 2023 Cybersecurity Regulatory Harmonization Request for Information (RFI). The responses reveal major concerns from critical infrastructure industries related to operational technology (OT), such as energy, transport and manufacturing. Their worries include the current fragmented regulatory landscape and difficulty adapting to new cyber regulations. The frustration appears to be unanimous. Meanwhile, the magnitude of…

Generative AI security requires a solid framework

4 min read - How many companies intentionally refuse to use AI to get their work done faster and more efficiently? Probably none: the advantages of AI are too great to deny.The benefits AI models offer to organizations are undeniable, especially for optimizing critical operations and outputs. However, generative AI also comes with risk. According to the IBM Institute for Business Value, 96% of executives say adopting generative AI makes a security breach likely in their organization within the next three years.CISA Director Jen…

Q&A with Valentina Palmiotti, aka chompie

4 min read - The Pwn2Own computer hacking contest has been around since 2007, and during that time, there has never been a female to score a full win — until now.This milestone was reached at Pwn2Own 2024 in Vancouver, where two women, Valentina Palmiotti and Emma Kirkpatrick, each secured full wins by exploiting kernel vulnerabilities in Microsoft Windows 11. Prior to this year, only Amy Burnett and Alisa Esage had competed in the contest's 17-year history, with Esage achieving a partial win in…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today