Tag Archives: Persistent Cross-Site Scripting (XSS)

28 Feb 2025

Persistent Cross-Site Scripting (XSS) Vulnerability in Traffic Manager

Our Plugin Vulnerabilities Firewall blocked an attempt to exploit a vulnerability we traced back to the plugin Traffic Manager. The plugin was closed on the WordPress Plugin Directory in September 2022 for a claimed security issue. No details were provided. Based on the timing of the closure and public claims about vulnerabilities in the plugin, that would appear to be related to a different security vulnerability than the hacker was trying to exploit. This security issue they were trying to exploit is a persistent cross-site scripting (XSS) vulnerability.

The details provided with the block show that an AJAX request was made with the action used UserWebStat. And the value of a POST input “page” sent with the request was a script tag. Traffic Manager makes the function UserWebStat() in the file /traffic-manager.php accessible through an AJAX request with that action for those logged in to WordPress as well those not logged in: [Read more]

24 Feb 2025

Settings Change and Persistent Cross-Site Scripting (XSS) Vulnerabilities in Donate visa

Today we saw what appeared to be a hacker probing for usage of the WordPress plugin Donate visa in third-party data we monitor. The probing was done by requesting a file from the plugin if the plugin had existed on a website, /wp-content/plugins/donate-visa/readme.txt. The plugin was closed on the WordPress Plugin Directory on November 5, 2024. The reason given for the closure is “Security Issue.” Nothing was provided to vet the claim there was a security issue. Competitors of ours have claimed there is an unfixed vulnerability that allows attackers “with Subscriber-level access and above, to perform an unauthorized action.” They provided nothing to back that up. Looking at the code, we found what they appear to be referring to, but as is so often the case, they didn’t bother to do proper vetting and got a basic detail wrong. The real vulnerability is one you would expect to be exploited.

The only code that looks like it could be related to the claimed vulnerability is the code that handles saving the plugin’s settings. That is handled by the function donate_visa_dvsmp_ajax() in the file /includes/class-donate-visa-dvsmp-plugin.php. That doesn’t include any security checks: [Read more]

31 May 2024

Hacker Targeting Incompletely Fixed Vulnerability in WordPress Plugin YITH WooCommerce Ajax Search

A hacker has started targeting a vulnerability in the WordPress plugin YITH WooCommerce Ajax Search, which has been incompletely fixed. That vulnerability allows an attacker to cause malicious JavaScript code to run on an admin page of the website. While a recent update protects those using the updated version from exploitation, it doesn’t fully address the problem, so any websites updated after it was exploited are still vulnerable. While not all older versions of the plugin are vulnerable, it looks like significant portion of the 70,000+ websites using the plugin could still be using a vulnerable version based on the data provided by WordPress about its usage and download count.

Yesterday, our Plugin Vulnerabilities Firewall blocked multiple attempts to exploit the vulnerability on our website. The exploit attempts came from an IP address, 93.174.93.127, registered to IP Volume inc: [Read more]

25 Jul 2023

Unfixed Persistent Cross-Site Scripting (XSS) Vulnerability in WordPress Plugin Targeted by Hacker

Today, we had someone probing for usage of the WordPress plugin MultiParcels Shipping For WooCommerce through a request for the plugin’s readme.txt file on one of our websites.

On July 17, a vague claim that an authenticated SQL injection vulnerability had recently been fixed in the plugin was released, which might explain a hacker’s interest in the plugin. There is also a claim that a minor vulnerability that has not been fixed yet exists in the plugin. [Read more]

7 Jul 2023

Persistent Cross-Site Scripting (XSS) Vulnerability in Post SMTP

The changelog for presumably the next version of the WordPress plugin Post SMTP contains an entry that suggested a vulnerability might be being fixed:

…

[Read more]

15 Jun 2023

Persistent Cross-Site Scripting (XSS) Vulnerabilty in WP Mail Logging

The changelog entry for the two latest versions of the WordPress plugin WP Mail Logging indicated that security issues had been addressed:

…

[Read more]

14 Feb 2023

Persistent Cross-Site Scripting (XSS) Vulnerability in 10Web Booster

We recently saw what looked to be a hacker probing for usage of the WordPress plugin 10Web Booster with this request on a couple of our websites:

/wp-content/plugins/tenweb-speed-optimizer/readme.txt [Read more]

31 Jan 2023

Hacker Might Be Exploiting Unfixed Plugin Vulnerability That WPScan, Patchstack, and Wordfence All Claimed Was Fixed

In a now deleted review of the WordPress plugin Beautiful Cookie Consent Banner, someone made the claim that the plugin is insecure and leading to malware:

The plugin is full of malware. Check your source code and run a security check. If you have malware, its this plugin!!! [Read more]

31 Oct 2022

Persistent Cross-Site Scripting (XSS) Vulnerability in Log HTTP Requests

Two months ago, the WordPress plugin Log HTTP Requests was updated with the changelog reading, “Escaped URL field to prevent possible XSS (props Bishop Fox)”.

…

[Read more]

19 Oct 2022

Persistent Cross-Site Scripting (XSS) Vulnerability in Advanced Contact Form 7 DB (Advanced CF7 DB)

In a separate post we discuss in more detail at vague claims made that there has been a persistent cross-site scripting (XSS) vulnerability in the plugin Advanced Contact Form 7 DB (Advanced CF7 DB). Patchstack claimed that a vulnerability of that type was fixed in version 1.8.8, but the details provided only state:

…

[Read more]