wpDataTables Vulnerability – Reflected Cross-Site Scripting – CVE-2024-0591 | WordPress Plugin Vulnerability Report
Plugin Name: wpDataTables
Key Information:
- Software Type: Plugin
- Software Slug: wpdatatables
- Software Status: Active
- Software Author: wpdatatables
- Software Downloads: 1,303,680
- Active Installs: 70,000
- Last Updated: February 20, 2024
- Patched Versions: 3.4.2.5
- Affected Versions: <= 3.4.2.4
Vulnerability Details:
- Name: wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin <= 3.4.2.2 - Reflected Cross-Site Scripting.
- Title: Reflected Cross-Site Scripting
- Type: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
- CVE: CVE-2024-0591
- CVSS Score: 6.1 (Medium)
- Publicly Published: February 20, 2024
- Researcher: stealthcopter
- Description: The wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'A' parameter in all versions up to, and including, 3.4.2.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Summary:
The wpDataTables for WordPress has a vulnerability in versions up to and including 3.4.2.4 that allows for reflected cross-site scripting attacks. This vulnerability has been patched in version 3.4.2.5.
Detailed Overview:
The researcher stealthcopter disclosed a reflected cross-site scripting (XSS) vulnerability affecting the wpDataTables WordPress plugin. This arises from insufficient sanitization of user input, enabling unauthenticated remote attackers to inject arbitrary web scripts by tricking administrators or other users into clicking specially crafted links containing malicious payloads. Successful exploits would result in the arbitrary scripts executing within a victim's browser session in context of the vulnerable application. This could enable a range of impacts from session hijacking to deployment of remote access Trojans. Versions 3.4.2.2 and earlier are affected. The flaw has been addressed in version 3.4.2.5, so users should upgrade as soon as possible.
Advice for Users:
- Immediate Action: Upgrade to wpDataTables version 3.4.2.5 or later to resolve the vulnerability.
- Check for Signs of Compromise: Review browser logs and application logs for any suspicious activity. Also scan for unauthorized code additions across application files.
- Alternate Plugins: Consider using alternative data table plugins like TablePress or Ultimate Tables as a precaution.
- Stay Updated: Routinely check that all active plugins are running the latest versions. Developers generally address vulnerabilities promptly, but users still need to deploy patches.
Conclusion:
The quick fix provided by the wpDataTables developers addresses this reflected XSS risk before exploits emerged in the wild. Users should still treat this with urgency given the ease of compromising user accounts and wider sites via cross-site scripting. Upgrading to the latest patched release is critical.
References:
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wpdatatables-2
Detailed Report:
Keeping your website secure should be a top priority – outdated software and plugins open doors for attackers to compromise your site. Unfortunately, a popular WordPress plugin, wpDataTables, has a newly disclosed critical vulnerability that puts over 70,000 websites at risk. This reflected cross-site scripting (XSS) flaw allows hackers to inject malicious code into vulnerable sites simply by enticing admins or users to click on specially-crafted links.
The wpDataTables plugin provides dynamic data tables and charts for WordPress sites. It has over 1.3 million downloads to date and around 70,000 active installs. The plugin developers wpDataTables have addressed this flaw by releasing version 3.4.2.5. However, any sites running earlier vulnerable versions remain at risk.
Successful attacks allow remote unauthenticated attackers to hijack user sessions, steal sensitive data, or download malware onto victims' devices without needing login credentials or privileges. They could even leverage compromised administrator accounts to fully take over sites. This XSS vulnerability arises from the plugin failing to properly sanitize user input, enabling malicious scripts to be injected into pages if a user clicks on links sent by the attacker.
If you have this plugin active on your WordPress site, you should update to the latest secure version immediately to protect both your site and visitors. As a precaution after updating, also scan for any unauthorized modifications to other files made during the window of exploitability. Consider proactive monitoring for new threats related to any plugins you use since ad-hoc patches occur frequently.
This is far from the first vulnerability uncovered in wpDataTables, with six previous flaws reported since November 2014. The quick turnaround by the developers to address this latest issue does show a commitment to user security. However, the risks introduced by third-party plugins places a burden on site owners to be vigilant regarding testing and updates. We know that staying on top of vulnerabilities feels like a relentless treadmill for busy business owners who would rather focus on customers than cybersecurity. Please don’t hesitate to reach out if you need any help or advice securing your WordPress site – we want to help lighten this load so you can concentrate on running your business. Turning a blind eye may save time in the short run, but puts your livelihood in jeopardy. Let’s work together to keep the web safe.
Security vulnerabilities like this one demonstrate the importance of having WordPress experts regularly monitor, maintain and update your site. At Your WP Guy, we offer ongoing management to handle updates, security monitoring, backups, uptime and support so you can stop worrying and get back to growing your business.
Let us fully audit your site to check for any signs of this vulnerability or other issues. We'll immediately update any out-of-date plugins and harden your site's security. Chat with us anytime during business hours, schedule a call or call 678-995-5169 to lock down your online presence.