|
This article has been assessed not ready for publication.Please see the review comments on the collaboration page. When these things have been done, and the article is ready to be reviewed and fact-checked, Submit for review?Template:Assistant:Submit/formSubmit for review by changing the |
| This article has been assessed not ready for publication.
Please see the review comments on the collaboration page. When these things have been done, and the article is ready to be reviewed and fact-checked, Submit for review?Template:Assistant:Submit/formSubmit for review by changing the |
Tuesday, March 30, 2021
Ivory Search, a WordPress plugin with over 60,000 active installations was found Sunday to have a security vulnerability that would allow attackers to perform damaging actions on websites that use the plugin. The vulnerability, known as reflected cross-site scripting (XSS) allows the execution of malicious JavaScript code by an unauthenticated attacker due to the lack of proper validation of user input in the plugin. Ivory Search versions 4.6 and below were found to be vulnerable to this issue by Jinson Varghese Behanan, a security researcher who immediately contacted the plugin’s development team who released a patch on March 30, 2021, fixing the bug in version 4.6.1. As of April 4, only 35% of the websites using the plugin have updated to the latest version. Considering the security risk, it is highly recommended that all the websites update to the latest version of Ivory Search.
Based on a technical analysis of the changes made by the team at WPScan, a free WordPress vulnerability management service, the Search Forms page of the plugin had not properly sanitised the “tab” parameter before printing it out in the page, leading to reflected XSS when opening a maliciously=crafted URL as a high privilege user such as a WordPress admin or editor. In order to exploit this, the knowledge of a search form ID is required. Behanan reported no active exploitation has been traced thus far.
WordPress is a popular free content management system used by over 40% of the top 10 million websites on the internet. It has been one of the primary targets for attackers who have continued to exploit vulnerabilities found in third party plugins and themes to perform malicious actions. When applications are vulnerable to XSS, an attacker gains the ability to execute malicious JavaScript code which can lead to website redirection, theft of session cookies, website defacement, etc. As a result, XSS has been listed as one of the Open Web Application Security Project’s Top 10 vulnerabilities. With JavaScript being the most commonly used client-side scripting language, website developers have used it to control how a website interacts with the users visiting it.
A vulnerability like XSS arises when a developer fails to properly validate user input fields on the website. This enables an attacker to insert malicious JavaScript code into these fields which are then executed by the browser as legitimate code and thus allows the attacker to perform damaging actions. For example, an attacker can exploit the XSS vulnerability to steal a session cookie, the unique token a website uses to recognise a logged-in user’s identity as they browse from page to page. If an attacker gains access to a user’s session cookie for a particular website, they will be able to access the logged-in session of that user without requiring to enter the username and password. Similarly, XSS can be used to insert JavaScript code that redirects the website to a malicious page or insert forms into the website with the purpose of baiting end users to enter their username and password which will then get sent to the attacker.