Social media plugin puts 100,000 WordPress sites at risk
All users of NextScripts WordPress plugin urged to update to the latest patched release
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
In yet another vulnerability that could have serious repercussions,cybersecurityresearchers have discovered a cross-site scripting(XSS) bug in the NextScripts: Social Networks Auto-Poster plugin forWordPress.
The plugin is used to automatically publish posts from websites to any of the configured social media accounts in a fully automated manner.
Discovered byWordfence’s Ramuel Gall, the vulnerability in the popularWordPress pluginwith over 100,000 installations, made it possible to perform a reflected cross-site scripting attack.
We’re looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won’t take more than 60 seconds of your time, and we’d hugely appreciate if you’d share your experiences with us.
Click here to start the survey in a new window«
“As with all XSS attacks, malicious JavaScript running in an administrator’s session could be used to add malicious administrative users or insert backdoors into a site, and thus be used for site takeover,”observes Gall.
Superglobal quirk
While explaining the bug, Gall notes that the XSS vulnerability reared its head because of a relatively obscure peculiarity of how PHP handles superglobal variables.
“This meant that it was possible to executeJavaScriptin the browser of a logged-in administrator by tricking them into visiting a self-submitting form that sent a POST request to their site,” says Gall.
The vulnerability was disclosed to the plugin’s developer in August, and a patched update of the plugin was released in early October.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Wordfence suggests all users of the plugin update to its latest version to prevent abuse of theirWordPress websites.
You can use theseWordPress website buildersto build your website in no time, but remember to secure them using theseWordPress security plugins.
With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’sTechRadar Pro’sexpert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.
A new form of macOS malware is being used by devious North Korean hackers
Scammers are using fake copyright infringement claims to hack businesses
England vs Australia live stream: how to watch 2024 rugby union Autumn International online from anywhere
