djbaxter

Administrator
Administrator
Moderator
Joined
Jun 28, 2012
Messages
3,512
Reaction score
1,659
Persistent XSS Vulnerability Discovered in WP Super Cache Plugin
by Sarah Gooding, WordPress Tavern
April 8, 2015

The security team at Sucuri has issued an advisory for WordPress users who have the WP Super Cache plugin activated on their sites. The popular caching plugin contains a dangerous persistent XSS vulnerability that was promptly patched in its 1.4.4 release.


Sucuri ranks the risk as ?Dangerous? with a DREAD score of 8/10. Exploiting the vulnerability is relatively easy for an attacker intent on injecting a backdoor. Sucuri breaks down the technical details of the threat as follows:

Using this vulnerability, an attacker using a carefully crafted query could insert malicious scripts to the plugin?s cached file listing page. As this page requires a valid nonce in order to be displayed, a successful exploitation would require the site?s administrator to have a look at that particular section, manually.

When executed, the injected scripts could be used to perform a lot of other things like adding a new administrator account to the site, injecting backdoors by using WordPress theme edition tools, etc.

Make certain your plugins are updated to the latest versions!

Read more...
 
Similar threads
Thread starter Title Forum Replies Date
djbaxter How vulnerability makes you a better leader Break Room: Chat and Off Topic 0
djbaxter WordPress: Contact Form 7 File Upload Vulnerability Websites, Software, and Security 0
djbaxter Ninja Forms WordPress Plugin: High Severity Vulnerability Patched Websites, Software, and Security 0
ianscott Contact Form 7 Datepicker - High Vulnerability Leads To Plugin Closure Websites, Software, and Security 1
djbaxter Active Attack on Duplicator Plugin Vulnerability Websites, Software, and Security 0
djbaxter Zero-Day Vulnerability in ThemeREX Addons Plugin Websites, Software, and Security 0
djbaxter Critical Vulnerability Patched in Convert Plus Plugin v 3.4.3 Websites, Software, and Security 0
djbaxter Security vulnerability in WordPress Slick Popup Plugin Websites, Software, and Security 1
djbaxter Vulnerability Patched In WP Database Backup Plugin Websites, Software, and Security 1
djbaxter Vulnerabilities in Two WordPress Plugins Websites, Software, and Security 2
djbaxter WordPress 5.1.1 Patches Critical Vulnerability: Update now Websites, Software, and Security 0
djbaxter WordPress vulnerability, all versions: Check your Author and higher role permissions Websites, Software, and Security 0
djbaxter Millions of WordPress Websites Affected By Plugin Vulnerability Websites, Software, and Security 2
C Re: FBI: ISIL Defacements Exploiting WordPress Vulnerabilities Recycle Bin 0
C Re: FBI: ISIL Defacements Exploiting WordPress Vulnerabilities Recycle Bin 0
djbaxter FBI: ISIL Defacements Exploiting WordPress Vulnerabilities Mobile & Social 3
Linda Buquet New Vulnerability Found in Every Single Version of Internet Explorer Marketing 0
djbaxter Common Web Vulnerabilities Plague Top WordPress Plug-Ins Websites, Software, and Security 0
djbaxter Update WP Super Cache and W3TC Immediately ? Remote Code Execution Vulnerability Websites, Software, and Security 0
djbaxter Fixed: Security Vulnerability in W3 Total Cache plugin in for WordPress Websites, Software, and Security 1

Similar threads

Login / Register

Already a member?   LOG IN
Not a member yet?   REGISTER

Most UpVoted Answers

LocalU Podcasts

  Promoted Posts

New advertising option: A review of your product or service posted by a Sterling Sky employee. This will also be shared on the Sterling Sky & LSF Twitter accounts, our Facebook group, LinkedIn, and both newsletters. More...
Google Product Exert


Top Bottom