Vulnerability in WordPress Google Analytics Plugin Hits +3 Million Websites

The National Vulnerability Database announced that a popular Google Analytics WordPress plugin installed in over 3 million was discovered to contain a Stored Cross-Site Scripting (XSS) vulnerability.

Stored XSS

A Cross-Site Scripting (XSS) attack generally occurs when a part of the website that accepts user input is insecure and allows unanticipated input, like scripts or links.

The XSS vulnerability can be leveraged to obtain unauthorized access to a website and can lead to user data theft or a full site takeover.

The non-profit Open Worldwide Application Security Project (OWASP) describes how the XSS vulnerability works:

“An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script.

Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site.”

A stored XSS, which is arguably worse, is one in which the malicious script is stored on the website servers itself.

The plugin, MonsterInsights – Google Analytics Dashboard for WordPress, was discovered to have the stored XSS version of the vulnerability.

MonsterInsights – Google Analytics Dashboard for WordPress Vulnerability

The MonsterInsights Google Analytics plugin is installed in over three million websites, which makes this vulnerability more concerning.

WordPress Security company, Patchstack, which discovered the vulnerability, published details:

“Rafie Muhammad (Patchstack) discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Google Analytics by MonsterInsights Plugin.

This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site.

This vulnerability has been fixed in version 8.14.1.”

The MonsterInsights plugin changelog on the WordPress plugin repository offered a somewhat vague explanation of the security patch:

“Fixed: We fixed a PHP warning error and added additional security hardening.”

A “security hardening” is a term that can be applied to many tasks related to reducing attack vectors, such as removing version number.

WordPress has published an entire page about security hardening that recommends security hardening tasks such as regular database backups, obtaining themes and plugins from trusted sources, and using strong passwords.

All of those activities are security hardening.

That’s why using the phrase, “security hardening” is a general and generic term to use for something that is as specific (and important) as patching an XSS security vulnerability, which could lead a user to skip updating their plugin.

Recommended Action

Patchstack recommends that all users of the MonsterInsights Analytics Plugin update their WordPress plugin immediately to the latest version or at least version 8.14.1.

Read the U.S. National Vulnerability Database announcement:

CVE-2023-23999 Detail

Read Patchstack’s announcement:

WordPress Google Analytics by MonsterInsights Plugin <= 8.14.0 is vulnerable to Cross Site Scripting (XSS)