National Vulnerability Database (NVD) issued an advisory on XSS vulnerability.

The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP).

The NVD describes the reason for the vulnerability and how an attack can happen: “The Popup Maker WordPress plugin before 1.16.9 does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks.”

Websites who have the contact form plugin installed should consider updating the latest version. No matter what type of site you run, GetGoingHub can scan your site for security vulnerabilities, malware, and online threats.

Maker WordPress plugin before 1.16.9 patched an cross-site scripting (XSS) vulnerability via contact form that could allow an attacker to upload malicious JavaScript. The Popup Maker plugin integrates with most popular contact forms with features designed to drive conversions in WooCommerce stores, email newsletter signups and other popular applications related to conversion-focused popups, slide-ins and banners.

The vulnerability affecting Maker WordPress plugin is called stored cross-site scripting (XSS). The vulnerability is called “stored” because a malicious JavaScript is uploaded to the website and stored on the server itself. In general, Stored XSS vulnerabilities can have severe consequences including full website takeover, user data exposure and the planting of Trojan horse programs that misleads users of its true intent.

Maker WordPress plugin is around only since 2021 and has experienced phenomenal growth with 700,000+ active installations and earned over 4,000 five-star reviews.

XSS vulnerabilities generally occur when an input fails to sanitize what is being uploaded. Sanitization may occur following input (input sanitization) or before the data is passed across a trust boundary (output sanitization). Trust boundary is the point where you can expect threats and determine who has control over your web server, business logics and database.

Anywhere that a user can input data can become vulnerable since there is a lack of control over what can be uploaded. Especially in those contact forms on websites that are created using WordPress plugin are prone to vulnerability that lets attackers upload arbitrary files because the plugin fails to properly sanitize user-supplied input.

An attacker can exploit XSS vulnerability to execute any code or commands to target a website or server without the owner’s knowledge This may facilitate unauthorized access or privilege escalation attacks including vertical and horizontal. Vertical attacks are when an attacker gains unauthorized privileged access into a system or account with the intent to perform actions as that user. Horizontal attacks gain access to account(s) with limited permissions requiring an escalation of privileges, such as to an administrator role, to perform the desired actions.