Advanced Access Manager Vulnerability– Restricted Content, Users & Roles, Enhanced Security and More – Reflected Cross-Site Scripting – CVE-2024-29127 | WordPress Plugin Vulnerability Report
Plugin Name: Advanced Access Manager – Restricted Content, Users & Roles, Enhanced Security and More
Key Information:
- Software Type: Plugin
- Software Slug: advanced-access-manager
- Software Status: Active
- Software Author: vasyltech
- Software Downloads: 5,341,354
- Active Installs: 100,000
- Last Updated: March 20, 2024
- Patched Versions: 6.9.21
- Affected Versions: <= 6.9.20
Vulnerability Details:
- Name: Advanced Access Manager <= 6.9.20
- Title: Reflected Cross-Site Scripting
- Type: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
- CVE: CVE-2024-29127
- CVSS Score: 6.1
- Publicly Published: March 20, 2024
- Researcher: Rafie Muhammad - Patchstack
- Description: The Advanced Access Manager plugin for WordPress is susceptible to Reflected Cross-Site Scripting (XSS) in all versions up to and including 6.9.20, caused by insufficient input sanitization and output escaping. This vulnerability could allow unauthenticated attackers to execute arbitrary web scripts on pages viewed by users, provided they can persuade a user to click on a malicious link.
Summary:
The Advanced Access Manager plugin, a popular WordPress tool for managing access and enhancing security, has been identified as having a Reflected Cross-Site Scripting vulnerability in versions up to and including 6.9.20. This security issue has been effectively resolved in the newly released version 6.9.21.
Detailed Overview:
This vulnerability was discovered by Rafie Muhammad from Patchstack, who noted that the plugin failed to adequately sanitize user input and escape output, leading to a scenario where attackers could inject harmful scripts into web pages. These scripts could then be executed in the context of a user's session, potentially leading to compromised personal information or unauthorized actions performed on behalf of the user. The severity of this vulnerability, with a CVSS score of 6.1, underlines the necessity of immediate action by website administrators to prevent potential exploits.
Advice for Users:
- Immediate Action: It is critical for users of the Advanced Access Manager plugin to update to version 6.9.21 promptly to protect their websites from potential XSS attacks.
- Check for Signs of Vulnerability: Administrators should examine their websites for any unusual activity or signs of compromise, which may indicate exploitation of this vulnerability prior to updating.
- Alternate Plugins: While the immediate concern has been addressed, users may consider evaluating other plugins that offer similar functionality as a precautionary measure against future vulnerabilities.
- Stay Updated: Ensuring that all WordPress plugins, themes, and the core system are regularly updated is vital in maintaining the security and integrity of your website.
Conclusion:
The rapid response by the Advanced Access Manager development team to address the Reflected Cross-Site Scripting vulnerability underscores the ongoing battle between maintaining functionality and ensuring security within the WordPress ecosystem. Users are urged to upgrade to version 6.9.21 or later to safeguard their installations against this and potentially other security risks.
References:
- Wordfence Vulnerability Report on Advanced Access Manager 6.9.20
- Patchstack Report on Advanced Access Manager