One of the world’s most popular WordPress themes quietly fixed a security vulnerability over the weekend that security researchers say appears to have patched a stored XSS vulnerability.
the officer Astra changelog offered this explanation of the security release:
“Enhanced Security: Our code base has been strengthened to further protect your website.”
Its changelog, which documents the changes to the code included in each update, does not provide any information about what the vulnerability was or how severe it was. Therefore, theme users cannot make an informed decision about whether to update their theme as soon as possible or test before updating to ensure that the updated theme is compatible with other plugins in use.
SEJ contacted WordPress security company Patchstack who verified that Astra may have patched a cross-site scripting vulnerability.
Brainstorm Force Astra WordPress Theme
Astra is one of the most popular WordPress themes in the world. It’s a free theme that’s relatively lightweight, easy to use, and results in professional-looking websites. It even has Schema.org structured data built into it.
Cross-site scripting (XSS) vulnerability
A cross-site scripting vulnerability is one of the most common types of vulnerabilities found in WordPress that usually arise within third-party plugins and themes. It’s a vulnerability that occurs when there is a way to input data, but the plugin or theme doesn’t sufficiently filter what’s being input or output, which could later allow an attacker to upload a malicious payload .
This particular vulnerability is called Stored XSS. A stored XSS is so called because it involves directly uploading the payload to the website server and storing it.
The non-profit website Open Worldwide Application Security Project (OWASP) offers the following description of a stored XSS vulnerability:
“Stored attacks are those in which the injected script is permanently stored on the target servers, such as in a database, message forum, visitor log, comment field, etc. The victim then retrieves the malicious server script when it requests the stored information Stored XSS is also sometimes known as persistent or type II XSS.
Plugin Patchstack Review
SEJ contacted Patchstack, who quickly reviewed the changed files and identified a potential theme security issue in three WordPress features. WordPress features are code that can change the behavior of WordPress features, such as changing the length of a snippet. Features can add customizations and introduce new features to a theme.
Patchstack explained its findings:
“I downloaded version 4.6.9 and 4.6.8 (free version) from the WordPress.org repository and checked the differences.
It appears that a change has been made to several functions to escape the return value of the get_the_author WordPress function.
This function prints the “display_name” property of a user, which could contain something malicious to end a cross-site scripting vulnerability if printed directly without using any output escaping.
This change has been made to the following features:
astra_archive_page_info astra_post_author_name astra_post_author
If, for example, a contributor wrote a post and that contributor changes its display name to contain a malicious payload, that malicious payload will be executed when a visitor visits that page with their malicious display name.”
Untrusted data in the context of XSS vulnerabilities in WordPress can happen when a user can enter data.
These processes are called sanitizing, validating, and escaping, three ways to secure a WordPress website.
Sanitization can be said to be a process that filters the input data. Validation is the process of checking what is entered to determine if it is exactly what is expected, such as text instead of code. Escaping the output ensures that anything displayed, such as user input or database content, is displayed safely in the browser.
WordPress security firm Patchstack identified changes to features that leak data, which in turn provide clues as to what the vulnerability is and how it was fixed.
Patchstack Security Advisory
It is unknown if a third-party security researcher discovered the vulnerability or if Brainstorm, the creators of the Astra theme, discovered it themselves and patched it.
the officer Patchstack Consulting provided this information:
“An unknown person discovered and reported this Cross Site Scripting (XSS) vulnerability in the Astra WordPress theme. This could allow a malicious actor to inject malicious scripts such as redirects, ads, and other HTML payloads into your website , which will be executed when guests visit your site.This vulnerability was fixed in version 4.6.9.
Patchstack assessed the vulnerability as a medium threat and assigned a score of 6.5 on a scale of 1 to 10.
Wordfence Security Advisory
Wordfence just released one too security advice. They analyzed the Astra files and concluded:
“The Astra theme for WordPress is vulnerable to cross-site scripts stored using a user’s display name in all versions up to and including 4.6.8 due to insufficient sanitization of input and exit escape. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts into pages that will be executed whenever a user accesses an injected page.”
It’s generally recommended that theme users update their installation, but it’s also wise to test the updated theme for bugs before sending it to a live website.
Featured image by Shutterstock/GB_Art
[ad_2]
Source link
