Researchers have discovered flaws in a number of WordPress plugins that. If successfully exploited, could allow an attacker to execute arbitrary code. And take control of a website in certain circumstances.
The bug affects a set of stored cross-site scripting (XSS) vulnerabilities (CVSS score: 6.4), which occur when a malicious script is injected directly into a vulnerable web application, according to Wordfence, which discovered the security flaws in Elementor.
Multiple HTML elements flaws discovered
Because the flaws take advantage of the fact that dynamic data entered in a template can be used to include malicious scripts. That launch XSS attacks, such behavior can be prevented by validating the input and escaping the output data so that the HTML tags passed as inputs are rendered harmless.
Separately, WP Super Cache was found to have an authenticated remote code execution (RCE) vulnerability. That could allow an attacker to upload and execute malicious code with the goal of taking control of the site. More than two million WordPress sites are using the plugin.
Elementor fixed the issues in version 3.1.4, released on March 8, by hardening “allowed options in the editor to enforce better security policies”. As a result of the responsible disclosure on February 23. Similarly, Automattic, the company behind WP Super Cache, stated that version 1.7.2 fixes the “authenticated RCE in the settings page.”
It is strongly advise that users of the plugins update to the most recent versions to reduce the risk of the flaws.
If you found this post useful, then please follow us on Facebook and Twitter and a;
You may also like: