June 4, 2023

The Nationwide Vulnerability Database introduced {that a} widespread Google Analytics WordPress plugin put in in over 3 million was found to comprise a Saved Cross-Web site Scripting (XSS) vulnerability.

Saved XSS

A Cross-Web site Scripting (XSS) assault usually happens when part of the web site that accepts consumer enter is insecure and permits unanticipated enter, like scripts or hyperlinks.

The XSS vulnerability may be leveraged to acquire unauthorized entry to a web site and might result in consumer information theft or a full website takeover.

The non-profit Open Worldwide Utility Safety Mission (OWASP) describes how the XSS vulnerability works:

“An attacker can use XSS to ship a malicious script to an unsuspecting consumer. The tip consumer’s browser has no technique to know that the script shouldn’t be trusted, and can execute the script.

As a result of it thinks the script got here from a trusted supply, the malicious script can entry any cookies, session tokens, or different delicate info retained by the browser and used with that website.”

A saved XSS, which is arguably worse, is one by which the malicious script is saved on the web site servers itself.

The plugin, MonsterInsights – Google Analytics Dashboard for WordPress, was found to have the saved XSS model of the vulnerability.

MonsterInsights – Google Analytics Dashboard for WordPress Vulnerability

The MonsterInsights Google Analytics plugin is put in in over three million web sites, which makes this vulnerability extra regarding.

WordPress Safety firm, Patchstack, which found the vulnerability, published details:

“Rafie Muhammad (Patchstack) found and reported this Cross Web site Scripting (XSS) vulnerability in WordPress Google Analytics by MonsterInsights Plugin.

This might enable a malicious actor to inject malicious scripts, akin to redirects, commercials, and different HTML payloads into your web site which might be executed when visitors go to your website.

This vulnerability has been fastened in model 8.14.1.”

The MonsterInsights plugin changelog on the WordPress plugin repository provided a considerably imprecise clarification of the safety patch:

“Mounted: We fastened a PHP warning error and added further safety hardening.”

A “safety hardening” is a time period that may be utilized to many duties associated to decreasing assault vectors, akin to eradicating model quantity.

WordPress has printed an entire page about security hardening that recommends safety hardening duties akin to common database backups, acquiring themes and plugins from trusted sources, and utilizing sturdy passwords.

All of these actions are safety hardening.

That’s why utilizing the phrase, “safety hardening” is a normal and generic time period to make use of for one thing that’s as particular (and necessary) as patching an XSS safety vulnerability, which could lead on a consumer to skip updating their plugin.

Really helpful Motion

Patchstack recommends that every one customers of the MonsterInsights Analytics Plugin replace their WordPress plugin instantly to the newest model or not less than model 8.14.1.

Learn the U.S. Nationwide Vulnerability Database announcement:

CVE-2023-23999 Detail

Learn Patchstack’s announcement:

WordPress Google Analytics by MonsterInsights Plugin <= 8.14.0 is vulnerable to Cross Site Scripting (XSS)