A popular WordPress antimalware plugin was found to have a reflected cross-site scripting vulnerability. This is a vulnerability that an attacker could exploit to compromise an administrator-level user of an affected website.
Affected WordPress plugins
The plugins found to contain the vulnerability are Anti-Malware Security and Brute-Force Firewall, used by more than 200,000 websites.
Anti-Malware Security and Brute-Force Firewall is a plugin that protects websites as a firewall (to block incoming threats) and a security scanner to check for security threats in the form of backdoor hackers and database injections.
The premium version protects websites from brute force attacks that try to guess passwords and usernames, and prevents DDoS attacks.
Reflected Cross-Site Scripting Vulnerability
The plugin was found to contain vulnerabilities that allow attackers to launch Reflected Cross-Site Scripting (Reflected XSS) attacks.
In this case, the reflected cross-site scripting vulnerability is that the WordPress site does not properly restrict the content that can be entered into the site.
Failing to restrict (clean) what is being uploaded is essentially like opening the front door of a website and allowing uploads of almost everything.
Hackers exploit this vulnerability by uploading a script and having the website reflect it.
When a compromised URL created by the attacker is accessed by someone with admin-level permissions, the script will activate with admin-level permissions stored in the victim’s browser.
The WPScan report on Anti-Malware Security and Brute Force Firewall describes the vulnerability:
“The plugin does not sanitize and escape QUERY_STRING before outputting it back to the admin page, resulting in reflective cross-site scripting in browsers with unencoded characters”
The U.S. Government National Vulnerability Database has not assigned a severity score for this vulnerability.
The vulnerability in this plugin is called a Reflected XSS vulnerability.
There are other types of XSS vulnerabilities, but these are the three main types:
- Stored Cross-Site Scripting Vulnerability (Stored XSS)
- Blind Cross-Site Scripting (Blind XSS)
- Reflected XSS
In Stored XSS, the Blind XSS vulnerability, the malicious script is stored on the website itself. These are generally considered higher threats because it is easier for admin-level users to trigger scripts. But these are not the kind found in plugins.
In Reflected XSS found in plugins, someone with admin-level credentials must be tricked into clicking on a link (eg from an email), which then reflects a malicious payload from a website.
The non-profit Open Web Application Security Project (OWASP) Describe Reflected XSS like this:
“A reflection attack is one where an injected script reflects off a web server, such as an error message, search result, or any other response that includes some or all of the input sent to the server as part of a request.
Reflection attacks are delivered to the victim through other means, such as email or other websites. “
Recommended to update to version 4.20.96
It is generally recommended to backup your WordPress files before updating any plugins or themes.
Anti-Malware Security and Brute-Force Firewall WordPress plugin version 4.20.96 contains a fix for this vulnerability.
Plugin users are advised to consider updating their plugins to version 4.20.96.
Citation
Read US Vulnerability Database details
Read the WPScan report on the vulnerability
Anti-Malware Security and Brute Force Firewall < 4.20.96 – Reflected Cross-Site Scripting
