Question 1

What exactly is the vulnerability in Hotjar?

Accepted Answer

What exactly is the vulnerability in Hotjar?

The vulnerability is a stored cross-site scripting (XSS) flaw that affects Hotjar versions up to and including 1.0.15. Stored XSS vulnerabilities allow attackers to inject malicious scripts into a site's database. The script then gets executed whenever a user visits a page that contains the malicious code. In the case of Hotjar, authenticated users with admin access can add JavaScript payloads to the hotjar_site_id parameter. This gets stored in the database and will run whenever someone views an injected page or post.

Question 2

How can this vulnerability be exploited?

Accepted Answer

How can this vulnerability be exploited?

Since the vulnerability requires admin access, an attacker would first need to compromise an admin account. They could then add malicious JavaScript to posts, pages or widgets that contain the hotjar_site_id parameter. For example, code that steals session cookies, redirects users to phishing pages, or mines cryptocurrency in visitors' browsers. Whenever a user visits a page with the injected code, the script gets executed due to the XSS flaw, allowing the attack to succeed.

Question 3

What risks does this vulnerability create?

Accepted Answer

What risks does this vulnerability create?

This flaw leaves sites open to serious potential impacts. Attackers could gain access to user accounts, steal sensitive data, deface sites, redirect visitors, install cryptominers and essentially fully compromise a site. Even if admin access is properly restricted, the vulnerability could still be leveraged for social engineering attacks by injecting hidden malicious content into pages that appear benign.

Question 4

What versions of Hotjar are affected?

Accepted Answer

What versions of Hotjar are affected?

Hotjar has not yet issued a patch, so all versions up to and including 1.0.15 remain vulnerable as of October 2023. Any site running the plugin should update to the latest version once a fix is released.

Question 5

Should I delete Hotjar until a patch is available?

Accepted Answer

Should I delete Hotjar until a patch is available?

That depends on your specific needs. If the analytics and feedback functionality Hotjar provides is mission-critical, you may opt to keep using it while taking steps to restrict admin access and monitor for unauthorized changes. If you can do without Hotjar for now, disabling or deleting it is the safest option.

Question 6

How can I tell if my site was compromised via this vulnerability?

Accepted Answer

How can I tell if my site was compromised via this vulnerability?

Carefully review your pages, posts and widgets for any unexpected JavaScript code, especially code using the hotjar_site_id parameter. Also check for unauthorized admin accounts or suspicious activity logs. Signs like your site suddenly running slow could indicate a cryptominer was installed. If possible, restore from a known good backup made before the vulnerability was disclosed.

Question 7

Are other plugins affected too, or just Hotjar?

Accepted Answer

Are other plugins affected too, or just Hotjar?

This specific vulnerability only affects the Hotjar plugin. However, vulnerabilities are discovered frequently in WordPress plugins. It's critical to keep all your plugins updated, use trusted plugins from reputable developers, and restrict admin access to minimize risks.

Question 8

Should I switch to a different analytics plugin until Hotjar is patched?

Accepted Answer

Should I switch to a different analytics plugin until Hotjar is patched?

Switching to an alternative analytics plugin is recommended if you need ongoing stats but don't want to run vulnerable Hotjar versions right now. Some popular options to consider are MonsterInsights, Analytify and Google Analytics. Just be sure to keep alternative plugins updated as well.

Question 9

How can I prevent vulnerabilities like this in the future?

Accepted Answer

How can I prevent vulnerabilities like this in the future?

Some steps to improve security overall include enabling automatic background updates, restricting admin access, using strong passwords, monitoring for unauthorized changes, and signing up for security update notifications. Also be selective about plugins, favoring those that are well-supported and proactively fixed when issues arise.

Question 10

I don't have time to stay on top of security issues like this. What should I do?

Accepted Answer

I don't have time to stay on top of security issues like this. What should I do?

Consider contracting a managed service provider or specialized security firm to handle tasks like monitoring, updates, backups, access restrictions and vulnerability response. They can ensure your site is locked down without you needing to constantly monitor the latest threats and updates yourself.

Plugin

WordPress Plugin Vulnerability Report – Hotjar – Authenticated (Administrator+) Stored Cross-Site Scripting – CVE-2023-1259

WordPress Plugin Vulnerability Report – Essential Addons for Elementor – Authenticated (Contributor+) Privilege Escalation

WordPress Plugin Vulnerabilities Report – Booster for WooCommerce – Authenticated Stored Cross-Site Scripting & Information Disclosure – CVE-2023-4945, CVE-2023-4796

WordPress Plugin Vulnerability Report: Slimstat Analytics – Authenticated (Contributor+) Blind SQL Injection via Shortcode – CVE-2023-4598

WordPress Plugin Vulnerability Report: EWWW Image Optimizer – Sensitive Information Exposure

WordPress Plugin Vulnerability Report: User Feedback – Unauthenticated Stored Cross-Site Scripting – CVE-2023-39308

Recent Blog Posts

LiteSpeed Cache Vulnerability – Unauthenticated Sensitive Information Exposure via Log Files – CVE-2024-44000 | WordPress Plugin Vulnerability Report

Elementor Addon Elements Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Parameters – CVE-2024-4401, CVE-2024-7122 | WordPress Plugin Vulnerability Report

The Post Grid – Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid Vulnerability – Authenticated (Contributor+) Information Disclosure – CVE-2024-7418 | WordPress Plugin Vulnerability Report

Additional Resources

About Your WP Guy