Critical WordPress plugin bug enables automated takeovers.
Attackers can exploit the critical vulnerability of the WP Product Review Lite plug-in, installed on more than 40,000 WordPress sites, to inject malicious code and capture potentially compromised sites.
WP Product Review Lite helps website owners quickly create customized review articles using predefined templates.
The plugin supports activating affiliate links, rich snippets, displaying widgets and buying buttons for additional monetization feeds.
Persistent XSS leading to zone control
The bug in WP Product Review Lite discovered by Sucuri Labs’ research team can be used by non-authenticated attackers.
They can bypass the WordPress user input security feature to launch the Stored cross-site scripting (Stored XSS) attack, which, if successful, allows them to inject malicious scripts into all products stored in the target site’s database.
Fortunately, the Sucuri Labs team is not aware of the current exploits aimed at this vulnerability.
Attacks without authentication are very serious because they can be automated, making it easier for hackers to launch successful and widespread attacks against vulnerable sites, said vulnerability researcher John Castro of Sucuri Labs.
The number of active installations, the ease of use and the consequences of a successful attack make this vulnerability particularly dangerous.
Figure : Sukuri Laboratory Technicians
If attackers are able to trick a site administrator into accessing compromised products, they can redirect the administrator to a malicious site or steal session cookies to authenticate on the administrator’s behalf.
This allows attackers to add new admin accounts to gain full control over the compromised WordPress site.
Website visitors are also attacked because a malicious script running in their browser can be used by attackers to redirect these visitors to malicious websites.
Thousands of objects still under attack
The developer of WP Product Review Lite, ThemeIle, fixed the vulnerability in version 3.7.6, which was released on May 14. was released on May 1, the day after Sucuri Labs’ report.
Users are strongly advised to update their plugin to the latest version as soon as possible to prevent possible attacks aimed at capturing their sites or redirecting visitors and administrators to malicious sites.
#WordPress vulnerability alert! # # During a recent scan, we discovered in WP Product Review an un-authenticated memory vulnerability #XSS #. User plug-ins : Please update as soon as possible! https://t.co/zilzFThs0o # Website security #
– Sukuri (@Sucurisecurity) 14. May 2020
Nearly 7000 users have adopted the fixed version of WP Product Review Lite since its release, and more than 33000 sites with vulnerable versions of the plug-in are still under attack.
Over the past 30 days, researchers have discovered cross-site scripting (stored XSS) vulnerabilities preserved in a number of other plug-ins, including Ninja Forms, Real-Time Find and Replace and Contact Form 7 Datepicker, with over 1,200,000 active installations.