A move-web site scripting vulnerability in the WordPress plugin WP Statistics should have enabled a complete website takeover.
WordPress plugin WP Statistics has patched cross-website online scripting (XSS) vulnerability to allow for full website takeover if the internet site works under positive non-default settings.
WP Statistics offers website owners a tool to analyze website online information, including the number of visitors to the website, which browser visitors are using, and more. The plugin is made via VeronaLabs and has more than 500,000 lively installations.
The unauthenticated stored XSS flaw exists in a plugin that allows an internet site to apply a header to discover the website visitors’ IP addresses. XSS can be a severe vulnerability that can permit attackers to inject client-side scripts into internet pages, which can be considered with other customers’ aid. However, it’s essential to know that this vulnerability can only be exploited. At the same time, the impacted website uses precise configurations that do not default – that means that default settings are not vulnerable, said researchers with Sucuri, who observed the flaw.
“Certain styles of facts might appear safe, which includes the tourist’s IP cope with; however, in reality, aren’t usually what you expect,” stated Antony Garand, a protection vulnerability researcher at Sucuri, in a Wednesday analysis. “Due to sure assumptions from the developers, it’s miles viable for traffic to inject malicious code on administrative pages, main to a full internet site takeover.”
Versions of the plugin before 12.6.7 are prone to the unauthenticated saved move-site scripting vulnerability; a patch has been issued in version 12.6.7 that addresses the flaw. Researchers said they initially touched with the developer regarding the June 26, 2019 spot. The patch was released on July 1.
IP Address Abuse
The vulnerability stems from the plugin failing to sanitize or validate users’ IP deals while using a header to identify their IP address, potentially allowing a bad actor to inject websites with malicious code.
By default, websites that use the plugin can, without problems, locate site visitors’ IP addresses; however, when websites running the plugin are utilizing a firewall, the user IP contacts that firewall before contacting the website.
That means the internet site no longer realizes what the original user’s IP deals with is earlier than it contacted the firewall; to treat this, the firewall adds a header that consists of the users’ unique IP, permitting the web page to discover the authentic user.
“Since the default value of the IP addresses is the header value, and it isn’t sanitized or confirmed with the FILTER_VALIDATE_IP method, it will be saved as-is if there are not a couple of IP addresses inside the header,” researchers said.
There are several roadblocks that an attacker needs to conquer to abuse this flaw. First, a website is most effective, while the plugin uses a header to discover the IP deal with the vacationer. The website should also use a bypassable firewall (meaning the website must be configured to accept connections from all people) and not handle the ones forwarded by a firewall).
Under those situations, an attacker should emit a forwarded IP: “The common thing of these settings is the forwarded fee being completely managed through the attacker,” researchers said.
Let’s take a look at – in simple phrases – how exactly WordPress works as soon as it’s far established:
You get admission to a convenient WYSIWYG (What You See Is What You Get) interface to soundly paintings with all the content material on your internet site.
You can create new internet pages in an expansion of formats
The content material that you create is saved in a database
You can use the same interface to edit your content material inside the database
When site visitors enter your site, the facts in the database are supplied to them in an internet site layout. You can exchange this format anytime; your content will automatically adopt the proper look.
Why Should You Use WordPress?
Press corporation Reuters uses WordPress to keep newshounds up-to-date with trendy information because it occurs. Music streaming carrier Spotify powers its complete internet site with WordPress.