Researchers have identified a handful of vulnerabilities present in three different plugins used by the content management system WordPress.
The issues, most of which are cross-site scripting (XSS) vulnerabilities, could give some users administrative privileges, warns dxw Security, a British firm that found the issues and disclosed them on Monday.
Two XSS vulnerabilities, one reflected and one stored, can be found in version 3.0 of the WordPress’ iframe plugin. The stored vulnerability could allow users to insert arbitrary HTML into pages and exceed the privileges they were granted, Tom Adams, a developer with the firm warns.
The reflected XSS vulnerability could expose pages which use the “get_params_from_url” to an attack.
While WordPress claims it resolved both issues in 4.0, Adams claims in the case of the stored XSS vulnerability, the plugin is still vulnerable and that users should disable it until a new version addresses the bug.
Another XSS vulnerability, discovered by dxw in Yoast’s Google Analytics plugin, could enable a privileged user to attack other users by adding arbitrary JavaScript to pages. The problem stems from the fact that some users can edit “capabilities” for other users.
“A user with the manage_options capability but not the unfiltered_html capability is able to add arbitrary JavaScript to a page visible to admins,” Adams wrote regarding the vulnerability on Monday.
The firm also discovered a blind SQL injection in Symposium, a social networking plugin for WordPress. If exploited an attacker could have extracted password hashes and other information from a site’s database, according to Glyn Wintle, a contractor for dxw who discovered the bug. Simon Goodchild, Symposium’s creator reported to Wintle that he fixed the issue in version 15.8 of the plugin roughly four weeks after dxw reported it to him.
WordPress developers have had a busy summer staying on top of fixes for the platform. The CMS fixed half a dozen outstanding security issues last week when it pushed out version 4.2.4 of WordPress. One of the issues it fixed was another, more serious persistent XSS vulnerability, that researchers stumbled upon back in May. A fix for the bug, which was dug up by Sucuri and branded dangerous, took several months to address but finally surfaced last week.
That fix arrived just three weeks after yet another XSS vulnerability was found and fixed in all versions of the CMS. Developers were encouraged to update to what was then the latest version, 4.2.3, immediately and warned that the vulnerability could be used to fully hijack a site.