Over 7 Million Websites Are Affected By Flaws In Two Common Wordpress Plugins
It goes without saying that the vast majority of websites on the Internet are created using WordPress.Elementor and WP Super Cache plugins are two of the most commonly used plugins for creating websites on WordPress, and Wordfence researchers have now found a flaw in this plugin.
The Hacker News website points out that it is even possible to gain admin access to the site using this vulnerability, and if you use one of these plugins, they are advised to update to the latest version as soon as possible.
This vulnerability has been fixed in version 3.1.4 of the Elementor plugin and version 1.7.2 of the WP Super Cache plugin, the main vulnerability being the ability to perform cross-site scripting (XSS) attacks.
Most of the articles written by a normal user on a WordPress website are reviewed by an admin or an editor, and when opening the relevant articles for such review, another admin user can create an XSS attack using the admin session automatically.
Given that the vulnerabilities take advantage of the fact that dynamic data entered in a template can be used to contain malicious scripts intended to launch XSS attacks, such actions can be prevented by validating the input and escaping the output data, rendering the HTML tags passed as inputs harmless.
To minimize the risk associated with the flaws, users of the plugins are advised to upgrade to the most recent versions.