WordPress Plugin Vulnerability Report – wpDiscuz – Authenticated (Administrator+) Stored Cross-Site Scripting

Plugin Name: wpDiscuz

Key Information:

  • Software Type: Plugin
  • Software Slug: wpdiscuz
  • Software Status: Active
  • Software Author: advancedcoding
  • Software Downloads: 3,042,036
  • Active Installs: 80,000
  • Last Updated: November 17, 2023
  • Patched Versions: 7.6.13
  • Affected Versions: <= 7.6.12

Vulnerability Details:

  • Name: wpDiscuz <= 7.6.12 - Authenticated (Administrator+) Stored Cross-Site Scripting
  • Title: Authenticated (Administrator+) Stored Cross-Site Scripting
  • Type: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • CVSS Score: 4.4 (Medium)
  • Publicly Published: November 17, 2023
  • Description: The Comments – wpDiscuz plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 7.6.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

Summary:

The wpDiscuz plugin for WordPress has a vulnerability in versions up to and including 7.6.12 that allows authenticated users with admin privileges to inject malicious scripts into pages. This vulnerability has been patched in version 7.6.13.

Detailed Overview:

A stored cross-site scripting (XSS) vulnerability was discovered in the wpDiscuz plugin that allows authenticated users with admin privileges to inject arbitrary JavaScript code into pages through insufficient sanitization of user input. This injected code will execute when the compromised page is loaded by a user.

The vulnerability was reported by the Wordfence Threat Intelligence team on November 17, 2023. It affects wpDiscuz versions up to and including 7.6.12. The developer has released version 7.6.13 to address this issue by properly sanitizing and escaping user input.

This vulnerability poses a serious risk, as compromised admin accounts could be used to inject malicious scripts into pages to steal session cookies or sensitive information from users. While unauthenticated users are not directly affected, the injected scripts will execute for any user that views a compromised page.

Advice for Users:

  1. Immediate Action: Upgrade to wpDiscuz version 7.6.13 as soon as possible.
  2. Check for Signs of Compromise: Review all admin settings pages for unauthorized JavaScript. Watch for unexpected behavior when viewing pages.
  3. Alternate Plugins: Consider a comment plugin like Disqus or Facebook Comments as a temporary precaution.
  4. Stay Updated: Always keep plugins updated and review changelog for security fixes.

Conclusion:

This vulnerability highlights the ongoing need for secure coding practices and rapid response to disclosed issues by developers. Users should install the 7.6.13 patch immediately to prevent exploitation of this stored XSS flaw. Prompt updates are key to keeping WordPress sites secure.

References:

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wpdiscuz

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wpdiscuz/wpdiscuz-7612-authenticated-administrator-stored-cross-site-scripting

Detailed Report:

Keeping your WordPress website secure should be a top priority for any website owner. Unfortunately, vulnerabilities in themes, plugins, and WordPress core are frequently disclosed that can put your site at risk if left unpatched. One such vulnerability was recently revealed in a popular WordPress commenting plugin, wpDiscuz, that allows authenticated users with admin privileges to inject malicious JavaScript code into pages. This stored cross-site scripting (XSS) vulnerability affects wpDiscuz versions up to and including 7.6.12 and has been given a severity rating of 4.4 out of 10 by CVSS standards. If exploited, this flaw could be used to steal sensitive user data or session cookies. While a fix has been released in version 7.6.13, any site still running an older version of wpDiscuz could be compromised. In this post, we'll break down the technical details of this vulnerability, provide advice to help determine if your site is affected, and give recommendations to mitigate your risk. As website security experts, we aim to keep readers informed of the latest threats and empower them to protect their online presence. If you have any concerns about the security of your WordPress site, please don't hesitate to reach out.

About the wpDiscuz Plugin

The wpDiscuz plugin, developed by advancedcoding, is a popular comments plugin for WordPress with over 3 million downloads and 80,000 active installs. It allows site owners to customize and manage comments on their WordPress sites.

Details of the Vulnerability

A stored cross-site scripting (XSS) vulnerability was discovered in wpDiscuz versions up to and including 7.6.12. This vulnerability allows authenticated users with admin privileges to inject arbitrary JavaScript code into pages through insufficient sanitization of user input. The injected malicious code would then execute when the compromised page loads.

The vulnerability was given a CVSS severity score of 4.4 out of 10, meaning it is ranked as a medium risk vulnerability.

Potential Impacts

This vulnerability poses a serious threat if exploited, as compromised admin accounts could inject malicious scripts across the site. Attackers could leverage this to steal session cookies, hijack accounts, or extract other sensitive information from users.

While unauthenticated users are not directly affected, the injected scripts will execute for any user that views a compromised page, exposing them to risk as well.

How to Check if Your Site is Vulnerable

Any site running wpDiscuz version 7.6.12 or below is likely vulnerable. Users should check their plugin version by going to Plugins > Installed Plugins in their WordPress dashboard.

You can also review your site's pages and wpDiscuz settings for any unauthorized JavaScript code that may indicate your site was already compromised.

How to Fix the Vulnerability

The developer has issued wpDiscuz version 7.6.13 to fix this vulnerability. Users should update to the latest version as soon as possible.

As a precaution, site owners can also consider switching to an alternate commenting plugin like Disqus or Facebook Comments until the update can be completed.

Importance of Staying Updated

This vulnerability underscores the critical importance of keeping your WordPress site updated. Developers release security patches for vulnerabilities like this frequently, so staying on top of updates for your plugins, themes, and WordPress core is essential.

At a minimum, site owners should have automatic background updates enabled for WordPress core. Monitoring your site's plugins and themes for updates regularly is also recommended.

Security vulnerabilities like this one demonstrate the importance of having WordPress experts regularly monitor, maintain and update your site. At Your WP Guy, we offer ongoing management to handle updates, security monitoring, backups, uptime and support so you can stop worrying and get back to growing your business.

Let us fully audit your site to check for any signs of this vulnerability or other issues. We'll immediately update any out-of-date plugins and harden your site's security. Chat with us anytime during business hours, schedule a call or call 678-995-5169 to lock down your online presence.

WordPress Plugin Vulnerability Report – wpDiscuz – Authenticated (Administrator+) Stored Cross-Site Scripting FAQs

Leave a Comment