A reflected cross-site scripting vulnerability was discovered in a popular WordPress anti-malware plugin. This is a vulnerability that allows an attacker to compromise an administrator-level user on the affected website.
WordPress Plugin Affected
The vulnerability was discovered in the Anti-Malware Security and Brute-Force Firewall plugin, which is used by over 200,000 websites.
Anti-Malware Security and Brute-Force Firewall is a plugin that protects a website by acting as a firewall (to prevent incoming threats) and a security scanner (to detect security threats such as backdoor hacks and database injections).
A premium version protects websites from brute force attacks that attempt to guess passwords and usernames, as well as DDoS attacks.
Vulnerability for Cross-Site Scripting Reflected
This plugin was discovered to have a vulnerability that could allow an attacker to launch a Reflected Cross-Site Scripting (reflected XSS) attack.
In this context, a reflected cross-site scripting vulnerability occurs when a WordPress website does not properly limit what can be input into the site.
Failure to restrict (sanitize) what is uploaded is essentially equivalent to leaving the website’s front door unlocked and allowing virtually anything to be uploaded.
A hacker exploits this flaw by uploading a script and having the website reflect it back.
When someone with administrator-level permissions visits a compromised URL created by the attacker, the script is activated using the administrator-level permissions stored in the victim’s browser.
The vulnerability was described in the WPScan report on Anti-Malware Security and Brute-Force Firewall:
“The plugin does not sanitise and escape the QUERY_STRING before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting in browsers which do not encode characters”
The National Vulnerability Database of the United States Government has not yet assigned a severity level to this vulnerability.
This plugin’s vulnerability is known as a Reflected XSS vulnerability.
There are other types of XSS vulnerabilities, but these are the three most common:
- Stored Cross-Site Scripting Vulnerability (Stored XSS)
- Blind Cross-site Scripting (Blind XSS)
- Reflected XSS
The malicious script is stored on the website itself in a stored XSS vulnerability. These are generally regarded as a more serious threat because it is easier to get an administrator-level user to trigger the script. However, these are not the types discovered by the plugin.
A reflected XSS, as discovered in the plugin, requires a person with admin level credentials to be duped into clicking a link (for example, from an email), which then reflects the malicious payload from the website.
A Reflected XSS is defined as follows by the non-profit Open Web Application Security Project (OWASP):
“Reflected attacks are those where the injected script is reflected off the web server, such as in an error message, search result, or any other response that includes some or all of the input sent to the server as part of the request.
Reflected attacks are delivered to victims via another route, such as in an e-mail message, or on some other website.”
It is recommended that you update to Version 4.20.96
Before updating any plugin or theme, it is generally recommended that you make a backup of your WordPress files.
The vulnerability has been fixed in version 4.20.96 of the Anti-Malware Security and Brute-Force Firewall WordPress plugin.
Users of the plugin are advised to consider updating to version 4.20.96.
Learn more from WordPress and read Vulnerability in the WordPress Backup Plugin Affected Over 3 Million Installations.
