skip to Main Content

WordPress, 13 plugins are vulnerable to XSS attacks

At least 13 WordPress plugins are vulnerable to XSS attacks. The Italian CERT-PA: Several PoCs have also been disseminated in this regard, and they are easily usable. Update your sites now!

At least 13 WordPress plugins are vulnerable to cross-site scripting (XSS) attacks. Cyber ​​security researchers found out, who raised the alarm. These are: Prismatic version 2.3, Popup-Builder version 3.61.1, Ultimate-Member 2.1.3, Jetpack 8.2, Forminator 1.11.2 (also vulnerable to Remote file upload), Events-Manager, Default-Featured-Image 1.6.1, Yikes Inc Easy Mailchimp Extender 6.6.2, WPForms-Lite, Wordfence 7.4.6, WooCommerce 3.9.2, TinyMCE-Advanced 5.3.0 and Really-Simple-SSL 3.2.9. Moreover, the cyber security experts of the Italian CERT-PA also warn that several Proof of Concept (PoC) have been released, easily usable. Consequently, it is recommended to promptly update your site hosted on the blogging platform.

Cyber ​​security experts: WordPress and its users have long been in the sights of cybercrime and XSS attacks

Cyber ​​security experts point out that WordPress has long been targeted by cybercrime with XSS attacks. A flaw of this type, in fact, is a code that allows an attacker to send harmful output to a victim when he visits a website. This can happen for two reasons: the first one sees the cyber attacker making the site archive malicious data, which will be displayed when a victim visits it (stored XSS). The second is characterized by the fact that cybercrime creates a link that shows the user the malicious code when visiting that URL on a website (reflected XSS). In fact, by exploiting the holes in the plugins it is possible to “arm” the sites of the victims and use them in various ways. Also to redirect visitors to other dangerous pages, which contain malware droppers or are fraudulent in nature.

Back To Top