XSS Flaw in WordPress Plugin Allows Injection of Malicious Code

Hardly a week goes by without some new vulnerability in WordPress or one of its components showing up on a mailing list or in a security advisory. This week’s first entrant is a newly disclosed flaw in a plugin that displays ad banners on WordPress sites, a bug that enables an attacker to inject malicious Javascript or HTML code on any vulnerable site.

Wordpress bugsHardly a week goes by without some new vulnerability in WordPress or one of its components showing up on a mailing list or in a security advisory. This week’s first entrant is a newly disclosed flaw in a plugin that displays ad banners on WordPress sites, a bug that enables an attacker to inject malicious Javascript or HTML code on any vulnerable site.

The vulnerability is in WP Banners Lite, a WordPress plugin designed to make it simple for site owners to install and manage ad banners.

“WP Banners Lite is a plugin which allows you to manage banners on your website. You can use as many different types of banners as you wish. Just create desired banner type and implement it into your theme,” the plugin documentation says.

On Monday a security researcher disclosed a vulnerability in the WP Banners Lite and published a proof-of-concept demonstration of an exploit for the flaw. The flaw affects versions 1.29, 1.31 and 1.40 of the plugin. The researcher who discovered and published the vulnerability said he had sent the information to the developer of WP Banners Lite but hadn’t received a response.

“The problem is wpbanners_show.php, at lines 8 and 9, the developer doesn’t filter correctly the variable called “cid” obtained from URL (Method GET). He obtains “cid” from URL, do a str_replace to remove ‘ and then he print it,” the advisory says.

The researcher, Fernando A. Lagos Berardi, said in the advisory that an attacker could exploit the problem by injecting his own HTML or Javascript. Version 1.40 is the most recent version of the WP Banners Lite plugin listed on the developer’s page on WordPress.org.

Suggested articles

Discussion

  • Ian Dunn on

    If your opening statement had read...

    Hardly a week goes by without some new vulnerability in a WordPress plugin or theme showing up on a mailing list or in a security advisory.

    ...then it would have been accurate; and, actually, a bit on the generous side.

    But as it stands, it's misleading, and kind of offense. When was the last time there was a serious, widespread vulnerability in WP core? 3 years ago? The only things that have been discovered in recent memory have been minor edge cases, and they've been discovered by WP developers, and they've been patched before they ever became public.

    If you want to bash plugin and theme developers, go right ahead. Many of us deserve it, but WP itself is very secure, and has been for a long time.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.