Data Confirms A Surge In WordPress Vulnerabilities via @sejournal, @martinibuster

WordPress security researchers at Patchstack published their annual State of WordPress Security whitepaper that showed an increase of high and critical severity vulnerabilities, highlighting the importance of security for all websites on the WordPress platform.

XSS Is Top WordPress Vulnerability Of 2023

There are many kinds of vulnerabilities but the most common by far was cross site scripting (XSS) vulnerabilities, accounting for 53.3% of all new WordPress security vulnerabilities.

XSS vulnerabilities generally occur due to insufficient “sanitization” of user inputs, which includes blocking any inputs that do not conform to what is expected. Patchstack shared that the Freemius framework, a third-party managed eCommerce platform, accounted for over 1,200 of all XSS vulnerabilities, representing 21% of all new XSS vulnerabilities discovered in 2023.

The Freemius Software Development Kit (SDK) is used as a component of over 1,200 plugins which in turn is installed in over 7 million WordPress sites. This highlights the problem of supply chain vulnerabilities where a component is used as a part of a WordPress plugin which subsequently increases the scope of a vulnerability beyond just one plugin.

Patchstack’s report explained:

“This year we saw once again how a single cross-site scripting vulnerability in the Freemius framework resulted in 1,248 plugins inheriting the security vulnerability, exposing their users to risk.

21% of all new vulnerabilities discovered in 2023 can be traced back to this one flaw. It’s vital for developers to choose their stack carefully and promptly apply security updates when these become available.”

More Vulnerabilities Rated High Or Critical

Vulnerabilities are assigned a severity score that corresponds to how disruptive a discovered flaw is. The ratings range from low, medium, high and critical.

In 2022 13% of new vulnerabilities were classified as high or critical. That percentage skyrocketed in 2023 to 42.9%, meaning that there were more destructive vulnerabilities in 2023 that in the previous year.

Authenticated Versus Unauthenticated Vulnerabilities

Another metric that pops out in the report is the percentage of vulnerabilities that require no authentication (unauthenticated), meaning the attacker does not need any user permission level in order to launch an attack.

Flaws that require an attacker to have a subscriber level to admin level permissions have a higher bar for attackers to overcome. Unauthenticated vulnerabilities do not require that the attacker first obtain a permission level, which makes those kinds of vulnerabilities more concerning because they can be exploited through automatic attacks like with bots that probe a site for the vulnerability then automatically launch attacks.

Patchstack found that 58.9% of all new vulnerabilities required no authentication at all.

Abandoned Plugins Spike As a Risk Factor

Another significant cause for vulnerabilities is the large amount of abandoned plugins. In 2022 Patchstack reported 147 abandoned plugins and themes to WordPress.org and out of those 87 were removed and the remainder were patched.

In 2023 the number of abandoned plugins exploded from 147 in 2022 to 827 plugins and themes in 2023. Whereas 87 vulnerable abandoned plugins were removed in 2022, 481 were removed in 2023.

Patchstack noted:

“We reported 404 of those plugins in a single day to draw attention to the “zombie plugin pandemic” in WordPress. Such “zombie” plugins are components that seem safe and up-to-date at first glance, but may contain unpatched security issues. Furthermore, such plugins remain active on user sites even if they are removed from the WordPress plugins repository.”

Most Popular Plugins With Vulnerabilities

As mentioned earlier, severity ratings range from low, medium, high and critical. Patchstack compiled a list of the most popular plugins with vulnerabilities.

In 2022 there were 11 popular plugins with over a million active installations that contained vulnerabilities. In 2023 Patchstack lowered the bar on installations from a million to over 100,000 installations. Yet despite making it easier to get on the list, there were only 9 popular plugins that were found to have a vulnerability, far less than in 2022.

In 2022 only five out of 11 of the most popular plugins with vulnerabilities contained a high severity vulnerability, none contained a critical level vulnerability and the rest were medium level severity.

Those numbers became significantly worse in 2023. Despite lowering the threshold of what’s considered a popular plugin, all nine plugins on the list contained critical level vulnerabilities, all of them. The overwhelming majority of the plugins on that list, six out of nine, contained unauthenticated vulnerabilities, meaning in that exploiting them is easy to scale with automation. The remaining three that required authentication only required a subscriber level access, which is the easiest permission level to acquire, just sign up, verify the email and they’re in. That too can be scaled with automation.

List Of Most Popular Plugins With Vulnerabilities

1. Essential Addons for Elementor  1M+ installations (severity rating 9.8)
2. WP Fastest Cache 1M+ installations (severity rating 9.3)
3. Gravity Forms 940k installations (severity rating 8.3)
4. Fusion Builder 900k  installations (severity rating 8.5)
5. Flatsome (Theme) 618k installations (severity rating 8.3)
6. WP Statistics 600k installations (severity rating 9.9)
7. Forminator 400k installations (severity rating 9.8)
8. WPvivid Backup and Migration 30ok installations (severity rating 8.8)
9. JetElements For Elementor 30ok installations  (severity rating 8.2)

State Of WordPress Security Is Worse

If you feel like there are more vulnerabilities lately than ever before, now you know the reason, the statistics speak for themselves. There are more vulnerabilities in 2023 and a greater percentage are at high and critical levels which can be exploited with automation at scale.

This means that all publishers need to improve their security and make sure that someone is taking responsibility for auditing their plugins and themes on a regular basis to make sure they are all updated and actively maintained.

SEOs should take notice because security quickly becomes a ranking problem when Google drops a hacked site from the search results. Many SEOs who perform site audits don’t do even the most basic security checks like verifying if the security headers are in place, which is something that I do as a part of every audit I perform. Always make sure to have a discussion with clients about their security to make sure they are aware of the risks.

Patchstack is an example of a service that automatically protects WordPress sites against vulnerabilities even before the plugin issues a patch to fix the vulnerability. Those kinds of services are important in order to create a defense against getting hacked and losing search visibility and earnings.

Read the Patchstack report:

State of WordPress Security In 2023

Featured Image by Shutterstock/Iurii Stepanov

15 Vulnerabilities In 11 Elementor Addons Hit +3M WordPress Sites via @sejournal, @martinibuster

Researchers have issued advisories for eleven separate Elementor add-on plugins with 15 vulnerabilities that can make it possible for hackers to upload malicious files. One of them is rated as a high threat vulnerability because it can allow hackers to bypass access controls, execute scripts and obtain sensitive data.

Two Different Kinds Of Vulnerabilities

The majority of the vulnerabilities are Stored Cross Site Scripting (XSS). Three of them are Local File Inclusion.

XSS vulnerabilities are among the most common form of vulnerability found in WordPress plugins and themes. They generally arise from flaws in how input data is secured (input sanitization) and also how output data is locked down (output escaping).

A Local File Inclusion vulnerability is one that exploits an unsecured user input area that allows an attacker to “include” a file into the input. Include is a coding term. In plain English a file inclusion is a scripting thing (a statement) that tells the website to add a specific code from file, like a PHP file. I have used includes in PHP to bring in data from one file (like the title of a webpage) and stick it into the meta description, that’s an example of an include.

This kind of vulnerability can be a serious threat because it allows an attacker to “include” a wide range of code which in turn can lead to the ability to bypass any restrictions on actions that can be carried out on the website and/or allow access to sensitive data that is normally restricted.

The Open Web Application Security Project (OWASP) defines a Local File Inclusion vulnerability:

“The File Inclusion vulnerability allows an attacker to include a file, usually exploiting a “dynamic file inclusion” mechanisms implemented in the target application. The vulnerability occurs due to the use of user-supplied input without proper validation.

This can lead to something as outputting the contents of the file, but depending on the severity, it can also lead to:

Code execution on the web server

Code execution on the client-side such as JavaScript which can lead to other attacks such as cross site scripting (XSS)

Denial of Service (DoS)

Sensitive Information Disclosure”

List Of Vulnerable Elementor Add-On Plugins

There are eleven total Elementor add-on plugins that have vulnerability advisories, two of which were issued today (March 29th), two of which were issued on March 28th. The remaining seven were issued within the past few days.

Some of the plugins have more than one vulnerability so that there are a total of 15 vulnerabilities in eleven of the plugins.

Out of the eleven plugins one is rated as a High Severity vulnerability and the rest are Medium Severity.

Here is the list of plugins listed in descending order of the most recent to the earliest. The numbers next to the vulnerabilities denote if they have more than one vulnerability.

List of Vulnerable Elementor Add-Ons

1. ElementsKit Elementor addons (x2)
2. Unlimited Elements For Elementor
3. 140+ Widgets | Best Addons For Elementor
4. Better Elementor Addons
5. Elementor Addon Elements (x2)
6. Master Addons for Elementor
7. The Plus Addons for Elementor (x2)
8. Essential Addons for Elementor (x2)
9. Element Pack Elementor Addons
10. Prime Slider – Addons For Elementor
11. Move Addons for Elementor

High Severity Vulnerability

The High Severity vulnerability is found in the ElementsKit Elementor Addons plugin for WordPress is especially concerning because it can put over a million websites in danger. This vulnerability is rated 8.8 on a scale of 1- 10.

What accounts for its popularity is the all-in-one nature of the plugin that allows users to easily modify virtually any on-page design feature in the headers, footers, and menus. It also includes a vast template library and 85 widgets that add extra functionality to webpages created with the Elementor website building platform.

The Wordfence security researchers described the vulnerability threat:

“The ElementsKit Elementor addons plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.0.6 via the render_raw function. This makes it possible for authenticated attackers, with contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.”

Millions of WordPress Sites Affected

The vulnerabilities may affect over 3 million websites. Just two of the plugins have a total of three million active installations. Websites tend to use just one of these plugins because there is a certain amount of overlap between the features. The all-in-one nature of some of these plugins means that only one plugin is needed in order to access important widgets for adding sliders, menus and other on-page elements.

List of Vulnerable Plugins By Number Of Installations

1. Essential Addons for Elementor – 2 Million
2. ElementsKit Elementor addons – 1 Million
3. Unlimited Elements For Elementor – 200k
4. Elementor Addon Elements – 100k
5. The Plus Addons for Elementor – 100k
6. Element Pack Elementor Addons – 100k
7. Prime Slider – Addons For Elementor – 100k
8. Master Addons for Elementor – 40k
9. 140+ Widgets | Best Addons For Elementor – 10k
10. Move Addons for Elementor – 3k
11. Better Elementor Addons – Unknown – Closed By WordPress

Recommended Action

Although many of the medium level severity vulnerabilities require hackers to obtain contributor level authentication in order to launch an attack, it’s best not to underestimate the risk posed by other plugins or installed themes that might grant the attacker the ability to launch these specific attacks.

It’s generally prudent to test updated themes before pushing updates to a live site.

Read the official Wordfence advisories (with CVE numbers):

A. 03/29 ElementsKit Elementor addons <= 3.0.6 – Authenticated (Contributor+) Stored Cross-Site Scripting CVE-2024-1238

B. 03/29 ElementsKit Elementor addons <= 3.0.6 – Authenticated (Contributor+) Local File Inclusion in render_raw CVE-2024-2047 8.8 HIGH THREAT

03/29 Unlimited Elements For Elementor <= 1.5.96 – Authenticated (Contributor+) Stored Cross-Site Scripting via Widget Link CVE-2024-0367

3/28 140+ Widgets | Best Addons For Elementor – FREE <= 1.4.2 – Authenticated (Contributor+) Stored Cross-Site Scripting CVE-2024-2250

3/28 Better Elementor Addons <= 1.4.1 – Authenticated(Contributor+) Stored Cross-Site Scripting via widget links CVE-2024-2280

A. Elementor Addon Elements <= 1.13.1 – Authenticated (Contributor+) Stored Cross-Site Scripting CVE-2024-2091

B. Elementor Addon Elements <= 1.13.2 – Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via ‘Text Separator’ and ‘Image Compare’ Widget CVE-2024-2792

Master Addons for Elementor <= 2.0.5.6 – Authenticated (Contributor+) Stored Cross-Site Scripting via Pricing Table Widget CVE-2024-2139

A. The Plus Addons for Elementor <= 5.4.1 – Authenticated (Contributor+) Local File Inclusion via Team Member Listing CVE-2024-2210

B. The Plus Addons for Elementor <= 5.4.1 – Authenticated (Contributor+) Local File Inclusion via Clients Widget CVE-2024-2203

A. Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders <= 5.9.11 – Authenticated (Contributor+) Stored Cross-Site Scripting ( via the countdown widget’s message parameter) CVE-2024-2623

B. Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders <= 5.9.11 – Authenticated (Contributor+) Stored Cross-Site Scripting (via the alignment parameter in the Woo Product Carousel widget) CVE-2024-2650

Element Pack Elementor Addons <= 5.5.3 – Authenticated (Contributor+) Stored Cross-Site Scripting via link CVE-2024-30185

Prime Slider – Addons For Elementor <= 3.13.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via title CVE-2024-30186

Move Addons for Elementor <= 1.2.9 – Authenticated (Contributor+) Stored Cross-Site Scripting CVE-2024-2131

Featured Image by Shutterstock/Andrey Myagkov

WordPress 6.5 Release Derailed By Bugs In New Feature via @sejournal, @martinibuster

WordPress 6.5 has been postponed because of disagreements over a new feature that would have required some websites to download a plugin in order to keep them functioning.

Font Directory Problem

What derailed the 6.5 release is a new Font Library feature for managing fonts that also makes using Google Fonts GDPR compliant. The GDPR compliance part is a nice feature that allows a publisher to connect with Google Fonts and download fonts locally instead of serving them from Google’s servers. That’s what makes them GDPR compliant because Google’s servers won’t have access to your site visitor’s IP address.

The fonts themselves were going to be stored in a new location, /wp-content/fonts/. However it was acknowledged that doing this would result in bugs due to some file systems inability to store fonts in that directory. The compromise that the core contributors initially agreed to was to require buggy sites to use a plugin (Fonts to Uploads) in order to be able to function with WordPress 6.5.

That plan didn’t go down to well because it didn’t conform to the design philosophy of making WordPress work out of the box.

There was strong opposition from the WordPress community.

Among the comments:

“I think this is a significant mistake that deviates from WordPress’ core philosophies, the existing technical infrastructure, and the stated requirements and plan for shipping in 6.5. …By removing a key aspect of the compromise plan, it undermines the entire plan, and means we are fundamentally shipping something we know is broken with 6.5.”

Multiple comments agreed that the original plan was flawed, including this one:

“So basically the decision of moving uploadable fonts outside of the uploadable folder is already proven problematic even before releasing with partial testing.

And TBH `wp-content/uploads/fonts` path was semantically better in the first place.”

So the fonts are now back to being stored in the more compatible location of /wp-content/uploads/fonts/.

And that led to the announcement that 6.5 would be delayed by a week:

“Based on community feedback on the Unblocking WP6.5 – Font Library and Synced Pattern Overrides and Font Library follow up posts, there has been a change to the WordPress 6.5 release schedule and a final change to the Font Library.

…This approach ensures that the greatest number of sites possible can benefit from the new Font Library feature without the need to install or configure anything. …Shipping a feature that requires additional configuration or technical knowledge isn’t in line with the guiding philosophies that have helped the project mature into the successful project that exists today.”

Not Without Some Minor Complaints

The change to where the files will be stored did meet with the observation that storing fonts in the /uploads/ directory is not semantically correct because the fonts are downloaded in the case of Google fonts, among other observations.

WordPress 6.5 is now schedule for release on Tuesday, April 2nd, 2024.

Read the full announcement:

WordPress 6.5 release delayed 1 week

Featured Image by Shutterstock/PBXStudio

2M+ WordPress Sites Hit By Essential Addons For Elementor Vulnerability via @sejournal, @martinibuster

Security researchers published an advisory on the popular Essential Addons For Elementor WordPress plugin which was discovered to contain a Stored Cross-Site Scripting vulnerability affecting over 2 million websites.

Flaws in two different widgets that are a part of the plugin are responsible for the vulnerabilities.

Two Widgets That Lead To Vulnerabilities

1. Countdown Widget
2. Woo Product Carousel Widget

Essential Addons For Elementor

Essential Addons is a plugin that extends the popular Elementor WordPress page builder. Elementor makes it easy for anyone to create websites and the Essential Addons makes it possible to add even more website features and widgets.

The Vulnerability

The advisory by Wordfence announced that the plugin contained a Stored Cross-Site Scripting (XSS) vulnerability that allows an attacker to upload a malicious script and attack website visitor browsers, which can itself lead to stealing session cookies in order to take control of the website.

XSS vulnerabilities are among the most common and arise from a failure to properly sanitize (screen or filter) fields that accept inputs like text or images.

Plugins typically “sanitize” inputs which means that they filter out unwanted inputs like scripts.

Another flaw that creates an XSS vulnerability is the failure to “escape output” which means to remove any output that contains unwanted data in order to prevent it from reaching a browser.

Wordfence cites both of those flaws as factors that led to the vulnerabilities.

They warned about the countdown widget:

“The Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the countdown widget’s message parameter in all versions up to, and including, 5.9.11 due to insufficient input sanitization and output escaping.

This makes it possible for authenticated attackers, with contributor access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.”

The warning about the  Woo Product Carousel Widget:

“The Essential Addons for Elementor …plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the alignment parameter in the Woo Product Carousel widget in all versions up to, and including, 5.9.10 due to insufficient input sanitization and output escaping. “

See also:

Authenticated Attackers

What’s meant by the phrase “authenticated attackers” is that a hacker needs to first acquire website credentials first in order to launch the attack. The Essential Addons for Elementor vulnerability requires an attacker to have a contributor level access or higher.

Medium Level Threat – Updating Recommended

The vulnerability is rated as a medium threat and has been assigned a score of 6.4 on a scale of 1 – 10, with 10 being the most critical level of vulnerability.

Plugin users that have version 5.9.11 or lower are recommended to upgrade to the latest version of the plugin, currently version 5.9.13.

Read the Wordfence security bulletins:

Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders <= 5.9.11 – Authenticated (Contributor+) Stored Cross-Site Scripting

Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders <= 5.9.11 – Authenticated (Contributor+) Stored Cross-Site Scripting

Featured Image by Shutterstock/Aleksandrs Sokolovs

Rank Math WordPress SEO Plugin Vulnerability Affects +2 Million Sites via @sejournal, @martinibuster

Rank Math SEO plugin with over 2+ million users recently patched a Stored Cross-Site Scripting vulnerability that makes it possible for attackers to upload malicious scripts and launch attacks.

Rank Math SEO Plugin

Rank Math is a popular SEO plugin that’s installed in over 2 million websites. It has an incredible array of functions that ranges from keyword tracking, Schema.org structured data integration, Google Search Console and Analytics integration, a redirect manager and other features that make it unnecessary to use other plugins for technical or on-page SEO.

A popular feature that users appreciate is that it’s a modular plugin which means users can choose which features they require and turn off those that they don’t which can help make a website perform even faster.

Many turn to Rank Math as an alternative to Yoast. A comparison between the two shows that Rank Math is smaller (61.1k lines of code versus Yoast’s 97.1k lines) and uses less server resources (+0.35 MB of memory versus Yoast’s +1.62 MB).

Authenticated Stored Cross-Site Scripting

Wordfence WordPress security researchers published an advisory of a vulnerability in Rank Math SEO plugin that can lead to a stored Cross Site Scripting (XSS) vulnerability.

A stored XSS vulnerability allows an attacker to upload malicious scripts and attack browsers which can result in stealing a session cookies which enables unauthorized website access and compromising sensitive data.

Insufficient Input Sanitization And Output Escaping

The source of the vulnerability is due to insufficient input sanitization and output escaping. These are common reasons for an XSS vulnerabilities that occur in areas of plugins that allow users to upload or input data.

Sanitizing input data is like filtering out unwanted type of input like scripts or HTML where only text inputs are expected. Output escaping is a process that validates what’s output by the website to block unwanted output like malicious scripts from reaching a website browser.

Wordfence warned:

“The Rank Math SEO with AI SEO Tools plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the HowTo block attributes in all versions up to, and including, 1.0.214 due to insufficient input sanitization and output escaping on user supplied attributes.

This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.”

Rank Math’s update changelog responsibly acknowledges what was changed in their plugin and the reason for the update. This transparency makes it possible for plugin users to understand the importance of a given update and to make an informed decision as to the urgency of the updated.

The changelog identifies the patched vulnerability:

“Improved: Strengthened the security of the plugin’s HowTo Block to prevent potential exploitation by users with post edit access. Thanks to [WordFence]
(https://www.wordfence.com/) for revealing it responsibly”

Read the official Wordfence advisory:

Rank Math SEO with AI SEO Tools <= 1.0.214 – Authenticated(Contributor+) Stored Cross-Site Scripting via HowTo block attributes

Featured Image by Shutterstock/Roman Samborskyi

WordPress Astra Theme Vulnerability Affects +1 Million Sites via @sejournal, @martinibuster

One of the World’s most popular WordPress themes quietly patched a security vulnerability over the weekend that security researchers say appears to have patch a stored XSS vulnerability.

The official Astra changelog offered this explanation of the security release:

“Enhanced Security: Our codebase has been strengthened to further protect your website.”

Their changelog, which documents changes to the code that’s included in every update, offers no information about what the vulnerability was or the severity of it.  Theme users thus can’t make an informed decision as to whether to update their theme as soon as possible or to conduct tests first before updating to insure that the updated theme is compatible with other plugins in use.

SEJ reached out to the Patchstack WordPress security company who verified that Astra may have patched a cross-site scripting vulnerability.

Brainstorm Force Astra WordPress Theme

Astra is one of the world’s most popular WordPress theme. It’s a free theme that’s relatively  lightweight, easy to use and results in professional looking websites. It even has Schema.org structured data integrated within it.

Cross-Site Scripting Vulnerability (XSS)

A cross-site scripting vulnerability is one of the most common type of vulnerabilities found on WordPress that generally arises within third party plugins and themes. It’s a vulnerability that occurs when there’s a way to input data but the plugin or theme doesn’t sufficiently filter what’s being input or output which can subsequently allow an attacker to upload a malicious payload.

This particular vulnerability is called a stored XSS. A stored XSS is so-called because it involves directly uploading the payload to the website server and stored.

The non-profit Open Worldwide Application Security Project (OWASP) website offers the following description of a stored XSS vulnerability:

“Stored attacks are those where the injected script is permanently stored on the target servers, such as in a database, in a message forum, visitor log, comment field, etc. The victim then retrieves the malicious script from the server when it requests the stored information. Stored XSS is also sometimes referred to as Persistent or Type-II XSS.”

Patchstack Review Of Plugin

SEJ contacted Patchstack who promptly reviewed the changed files and identified a possible theme security issue in three WordPress functions. WordPress functions are code that can change how WordPress features behave such as changing how long an excerpt is. Functions can add customizations and introduce new features to a theme.

Patchstack explained their findings:

“I downloaded version 4.6.9 and 4.6.8 (free version) from the WordPress.org repository and checked the differences.

It seems that several functions have had a change made to them to escape the return value from the WordPress function get_the_author.

This function prints the “display_name” property of a user, which could contain something malicious to end up with a cross-site scripting vulnerability if printed directly without using any output escaping function.

The following functions have had this change made to them:

astra_archive_page_info
astra_post_author_name
astra_post_author

If, for example, a contributor wrote a post and this contributor changes their display name to contain a malicious payload, this malicious payload will be executed when a visitor visits that page with their malicious display name.”

Untrusted data in the context of XSS vulnerabilities in WordPress can happen where a user is able to input data.

These processes are called Sanitization, Validation, and Escaping, three ways of securing a WordPress website.

Sanitization can be said to be a process that filters input data. Validation is the process of checking what’s input to determine if it’s exactly what’s expected, like text instead of code. Escaping output makes sure that anything that’s output, such as user input or database content, is safe to display in the browser.

WordPress security company Patchstack identified changes to functions that escape data which in turn gives clues as to what the vulnerability is and how it was fixed.

Patchstack Security Advisory

It’s unknown whether a third party security researcher discovered the vulnerability or if Brainstorm, the makers of the Astra theme, discovered it themselves and patched it.

The official Patchstack advisory offered this information:

“An unknown person discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Astra Theme. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has been fixed in version 4.6.9.”

Patchstack assessed the vulnerability as a medium threat and assigned it a score of 6.5 on a scale of 1 – 10.

Wordfence Security Advisory

Wordfence also just published a security advisory.  They analyzed the Astra files and concluded:

“The Astra theme for WordPress is vulnerable to Stored Cross-Site Scripting via a user’s display name in all versions up to, and including, 4.6.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.”

It’s generally recommended that users of the theme update their installation but it’s also prudent to test whether the updated theme doesn’t cause errors before pushing it to a live website.

Featured Image by Shutterstock/GB_Art