Stored XSS in WP Product Review Lite plugin allows for automated takeovers

A critical flaw in the WP Product Review Lite plugin installed on over 40,000 WordPress sites could potentially allow their take over.

Attackers could exploit a critical vulnerability in the WP Product Review Lite WordPress plugin to inject malicious code and potentially take over vulnerable websites.

The WP Product Review Lite plugin allows site owners to quickly create custom review articles using pre-defined templates, it is currently installed on over 40,000 WordPress sites.

The vulnerability was discovered by researchers at Sucuri Labs, it is a persistent XSS that could be exploited by remote, unauthenticated attackers.

“During a routine research audit for our Sucuri Firewall, we discovered an Unauthenticated Persistent Cross-Site Scripting (XSS) affecting 40,000+ users of the WP Product Review plugin.” reads the analysis published by Sucuri.

“All user input data is sanitized but the WordPress function used can be bypassed when the parameter is set inside an HTML attribute. A successful attack results in malicious scripts being injected in all the site’s products.”

Attackers can bypass the WordPress user input data sanitization function to exploit the Stored Cross-Site Scripting (Stored XSS) issue. Upon triggering the flaw, the attackers could inject malicious scripts in all the products stored in the database of the targeted website.

An attacker could trick a site admin into accessing the compromised products, then they could redirect them to a rogue site, or steal the session cookies to authenticate on behalf of the administrator.

Once the attacker has authenticated as an admin, it could add a new admin account to take over the site.

Researchers at the Sucuri Labs revealed that they are not aware of any attacks in the wild exploiting the flaw.

Experts recommend site administrators to update their plugin to version 3.7.6 as soon as possible because unauthenticated attacks could be automated by attackers.

“Unauthenticated attacks are very serious because they can be automated, making it easy for hackers to mount successful, widespread attacks against vulnerable websites,” Sucuri Labs conclude.

“The number of active installs, the ease of exploitation, and the effects of a successful attack are what makes this vulnerability particularly dangerous.”

The vulnerability was reported to the plugin developers on May 13, and it was fixed in only 24 hours, on May 14, 2020.

At the time of writing, more than 7,000 users have already fixed their WP Product Review Lite plugin, this means that more than 32,000 sites have yet to do it.

window._mNHandle = window._mNHandle || {};
window._mNHandle.queue = window._mNHandle.queue || [];
medianet_versionId = “3121199”;

try {
window._mNHandle.queue.push(function () {
window._mNDetails.loadTag(“762221962”, “300×250”, “762221962”);
catch (error) {}

Pierluigi Paganini

(SecurityAffairs – WP Product Review Lite, hacking)

The post Stored XSS in WP Product Review Lite plugin allows for automated takeovers appeared first on Security Affairs.