Plugins are used for extending the functionalities of WordPress and are one of the most important factors to customize the website. There are thousands of compatible and plugin-enabled themes, plugins, and software extensions available through WordPress.org portal. However, the developers of the plugin need to take utmost care while upgrading the plugin due to potential security risks. In addition to that, plugins should also be regularly tested to ensure they are not vulnerable to any critical issues.
Recently, a critical vulnerability was discovered in the Ezoic plugin, a popular plugin that mostly powers online stores. The Ezoic team patched up the issue in their latest version 2.8.8. However, due to a miscommunication between the developers, the patch was not included in the third party plugin. As a result, any WordPress website using Ezoic before its patch will still be vulnerable to an XSS attack.
A miscommunication between the team of Ezoic, the developers of another plugin, has left tens of thousands of websites vulnerable to an XSS attack. The issue was reported to the Ezoic development team by another developer. After the issue was reported, the Ezoic development team patched up the issue in their latest version 2.8.8. However, due to a miscommunication between the developers, the patch was not included in the third party plugin. As a result, any WordPress website using Ezoic before its patch will still be vulnerable to an XSS attack.
How Does XSS Attack work?
An XSS attack is a type of vulnerability that occurs when user data, including cookies, are sent to a third party website. Without any malicious intentions, the websites running on WordPress still have their security compromised because of this vulnerability.
As a result, hackers can steal user information or use it for malicious purposes. They can also read and edit files on the server. This is why it's important to keep plugins updated regularly so that they don't contain any vulnerabilities and your website stays safe.
How Do XSS Attacks Work?
XSS, or Cross Site Scripting, is an attack that injects malicious code into targeted websites. This code can then be executed on the target site to steal data or manipulate user content. The malicious code can also be used by attackers to take control of a website or redirect it to a third-party website. XSS attacks are possible because some WordPress plugins like Ezoic use unsafe practices when displaying content on the front-end.
When XSS attacks are detected, they can sometimes cause serious business consequences and lead to loss of sensitive data for websites and users. For example, if users have their credit card details stored in the database and an attacker injects malicious script into the website, it could be easily stolen from their account. Similarly, if a website has login credentials for users who visit it, accessing those credentials could be easy for hackers with malicious scripts present in the site’s front-end.
Understanding XSS Attack
An XSS attack is a common vulnerability that can be exploited by malicious attackers to gain access to a user’s data and perform actions on behalf of the victim. The malicious attacker uses a web application, like WordPress, which has an input field where the user enters their username and password. The attacker injects an external script or URL in this input field and then clicks on the Submit button. When the user logs into their account, they will see the script being executed by WordPress.
The malicious attacker will have full access to all of the account due to this vulnerability. They can also modify any PHP files or even create new ones within WordPress’ directory without any limitations. This type of vulnerability is often referred to as Reflected Cross-Site Scripting (XSS), since it reflects back some code from a website back onto itself.
Affected Plugins
The following plugins have been impacted by the vulnerability:
Ezoic, WP-WooCommerce, and other WordPress plugins that use the Ezoic Ajax.
Timeline
Published on: 11/17/2022 23:15:00 UTC
Last modified on: 11/22/2022 00:36:00 UTC