SiteOrigin Widgets Bundle WordPress plugin with over 600,000 installations patched an authenticated stored cross-site scripting (XSS) vulnerability that could allow attackers to upload arbitrary files and expose site visitors to malicious scripts.
SiteOrigin Widgets Bundle Plugin
The SiteOrigins Widgets plugin, with +600,000 active installations, provides a way to easily add a multitude of widget functions like sliders, carousels, maps, change the way blog posts are displayed, and other useful webpage elements.
Stored Cross-Site Scripting Vulnerability
A Cross-Site Scripting (XSS) vulnerability is a flaw allows a hacker to inject (upload) malicious scripts. In WordPress plugins, these kinds of vulnerabilities arise from flaws in how data that’s input is not properly sanitized (filtered for untrusted data) and also from improperly securing output data (called escaping data).
This particular XSS vulnerability is called a Stored XSS because the attacker is able to inject the malicious code to the server. According to the non-profit Open Worldwide Application Security Project (OWASP), the ability to launch an attack directly from the website makes it particularly concerning.
OWASP describes the stored XSS threat:
“This type of exploit, known as Stored XSS, is particularly insidious because the indirection caused by the data store makes it more difficult to identify the threat and increases the possibility that the attack will affect multiple users. “
In an XSS attack, where a script has successfully been injected, the attacker sends a harmful script to an unsuspecting site visitor. The user’s browser, because it trusts the website, executes the file. This can allow the attacker to access cookies, session tokens, and other sensitive website data.
Vulnerability Description
The vulnerability arose because of flaws in sanitizing inputs and escaping data.
The WordPress developer page for security explains sanitization: