Another WordPress plugin flaws discovered: wpDataTables Lite has two vulnerabilities linked to insufficient sanitization of user-supplied data that pose risks of XSS scripting and SQL Injection. However, the vendor has issued an update that solves the problems
New threats to WordPress via vulnerabilities in plugins, this time it’s up to wpDataTables Lite. According to Cyber Security Help, it has two flaws related to insufficient sanitization of user-supplied data. One linked to risks of Cross-site (XSS) scripting, and the second to SQL Injection. In the first case, the disclosed vulnerability allows a remote attacker to perform XSS attacks tricking the victim to follow a specially crafted link and execute arbitrary HTML and script code in user’s browser in context of vulnerable website. Successful exploitation may allow to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks. In the second, The flaw allows a remote authenticated user to execute arbitrary SQL queries in database. Successful exploitation may allow him to read, delete, modify data in database and gain complete control over the application. Vendor has issued updates that resolve the problems.
It’s not clear at the moment if the wpDataTables Lite vulnerabilities have been exploited by cybercrime in the ongoing malvertising campaign on the blogging platform