Half of the battle keeping up to date with online security is simply identifying risks and threats. Knowledge is power, and you can’t defend against unknown threats. WordPress is an extremely secure web platform with a lot of benefits such as ease of use and content management simplification, but it’s not perfect. You need to stay on top of web security by knowing the latest threats to different themes, plugins, and code modules. The following are the latest threats, exploits, and vulnerabilities in code modules related to WordPress.
Cross site scripting (XSS) has long been a problem for many different online entities, and WordPress is no exception. In the month of June alone, there have been at least 3 XSS vulnerabilities discovered in common WordPress plugins.
First on the list is WP Smiley version 1.4.1 and earlier. The exploit is found in smilies4wp.php, and it allows remote authenticated users to wreak havoc on your website. Basically, one of the parameters in this file allows people to inject their own malicious scripts or HTML markup.
In addition, the Ultimate Member plugin (versions 1.2.98-1.2.994) has also fallen victim to an XSS exploit. The underlying reason this plugin has a vulnerability is due to the fact that it is built upon the Redux Framework, which contains the bug. This framework has a script that acts like an HTTP proxy named class.p.php. By taking advantage of the exploit in this script, a malicious attacker can execute a reflected XSS attack, whereby the attacker loads data from an external location. This data, again, will likely be a malicious script.
Also, the plugin WP-Stats has been found to be exploitable with an XSS attack. However, this flavor of XSS is a little different from others because it is a stored XSS vulnerability. In this type of attack, the malicious code is stored in an application. To trigger the attack, the victim only needs to browse to the specific page that contains the attack code, and the attack is automatically executed in the victim’s browser.