Enhanced Text Widget Vulnerability – Authenticated (Administrator+) Stored Cross-Site Scripting – CVE-2024-0559 | WordPress Plugin Vulnerability Report
Plugin Name: Enhanced Text Widget
Key Information:
- Software Type: Plugin
- Software Slug: enhanced-text-widget
- Software Status: Active
- Software Author: cl272
- Software Downloads: 773,012
- Active Installs: 50,000
- Last Updated: February 20, 2024
- Patched Versions: 1.6.6
- Affected Versions: <= 1.6.5
Vulnerability Details:
- Name: Enhanced Text Widget <= 1.6.5 - Authenticated (Administrator+) Stored Cross-Site Scripting
- Title: Authenticated (Administrator+) Stored Cross-Site Scripting
- Type: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
- CVE: CVE-2024-0559
- CVSS Score: 4.4 (Medium)
- Publicly Published: February 20, 2024
- Researcher: Dmitrii Ignatyev
- Description: The Enhanced Text Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via widget options in all versions up to, and including, 1.6.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Summary:
The Enhanced Text Widget for WordPress has a vulnerability in versions up to and including 1.6.5 that allows authenticated users with admin access to inject malicious scripts into pages through widget options. This vulnerability has been patched in version 1.6.6.
Detailed Overview:
The Enhanced Text Widget plugin, which allows for rich text widgets, is vulnerable to stored cross-site scripting attacks. The vulnerability, discovered by researcher Dmitrii Ignatyev, lies in insufficient sanitization of inputs and escaping of outputs in the widget options in versions 1.6.5 and below. This makes it possible for an attacker with admin access to store malicious scripts as widget options. These scripts will then get executed when a user views an injected page, leading to compromise of user data and accounts. This affects multi-site installations and sites where the unfiltered_html capability has been disabled. The risk is rated medium severity based on a CVSS score of 4.4.
Version 1.6.6, released on February 20, 2024, fixes this vulnerability by properly sanitizing inputs before storing them and escaping outputs before displaying widget data. Users are advised to update immediately to close this attack vector.
Advice for Users:
- Immediate Action: Update to version 1.6.6 as soon as possible.
- Check for Signs of Vulnerability: Examine widget options for unauthorized or suspicious scripts. Also check site pages for unwanted redirects or iframes.
- Alternate Plugins: Consider using native text widgets or other rich text plugins like WP Edit.
- Stay Updated: Ensure plugins are kept updated, especially ones that process user inputs.
Conclusion:
This moderately severe vulnerability underscores the need for secure coding practices like proper input validation and output escaping. Users should install security plugins to detect unauthorized script injections. Prompt action by the plugin developer has mitigated the risk but users should still apply the update.
References:
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/enhanced-text-widget
Detailed Report:
Keeping your WordPress website and its plugins up-to-date is crucial for security. Unfortunately, a recently disclosed vulnerability in a popular plugin serves as an urgent reminder of this need. The Enhanced Text Widget plugin, which has over 700,000 downloads and 50,000 active installs, has a stored cross-site scripting (XSS) vulnerability affecting all versions up to 1.6.5.
This plugin by developer cl272 allows for rich text widgets on WordPress sites. The vulnerability enables attackers with admin access to inject malicious scripts into webpages through the widget configuration options. Once present, these unauthorized scripts execute whenever a user visits a compromised page, putting their data and accounts at risk.
Specifically, this stored XSS vulnerability circumvents filters and escaping meant to prevent unauthorized code from executing on pages. By inputting malicious scripts into the plugin's widget settings, an attacker can store this code so that it loads on pages with a vulnerable widget installed. This especially threatens multi-site installations and sites where unfiltered HTML has been disabled.
The severity has been rated 4.4 out of 10 on the common vulnerability scoring system (CVSS) which means it poses a medium risk. If exploited, this could lead to account compromise, data theft, or phishing against your site's users. It could also enable further attacks on the broader site.
Fortunately, the developer has released Enhanced Text Widget version 1.6.6 which patches this vulnerability by sanitizing inputs and escaping outputs as needed. Users are strongly advised to update as soon as possible to close this attack route. You can do this manually via the dashboard or use automated plugins.
This is not the first vulnerability found in Enhanced Text Widget, with four others emerging since June 2023. While the developer has been responsive, this track record highlights the general risks of relying on complex third-party plugins that process user inputs. As a small business owner Without dedicated technical staff, keeping everything updated is essential but difficult.
In addition to updating Enhanced Text Widget, check all plugins and themes are running latest versions. Enable automatic background updates wherever possible. Also consider limiting the number of plugins in use to only essential ones, as each poses potential risk. Employing multifactor authentication for all admin accounts can also help limit unauthorized access. We offer complimentary website scans and consultation services to help identify any lingering issues.
Staying vigilant is key for every website owner. As threats evolve, what is secure today may not suffice tomorrow without timely patches, configurations and reviews. Automating where possible and seeking expert help builds essential resilience against disruptive attacks that undermine customer trust and impact revenue. By taking prompt action, Enhanced Text Widget users can mitigate this particular risk before any harm is done.
Don't tackle WordPress security alone - the consequences of a breach are too great. At Your WP Guy, our managed WordPress maintenance services include layers of protection like auto-updates, malware scanning, firewalls and 24/7 monitoring by WordPress experts. We become your outsourced IT team.
Let's chat about migrating your site to our managed hosting so you can finally stop worrying about security issues. We'll fully audit and lock down your site as part of onboarding. Call us at 678-995-5169 to keep your business safe online.