<\/p>\n
The National Vulnerability Database announced that a popular Google Analytics WordPress plugin installed by more than 3 million was discovered to contain a Stored Cross-Site Scripting (XSS) vulnerability.<\/p>\n
A Cross-Site Scripting (XSS) attack generally occurs when a part of the website that accepts user input is insecure and allows unintended input such as scripts or links.<\/p>\n
The XSS vulnerability can be exploited to gain unauthorized access to a website and can lead to the theft of user data or a complete site takeover.<\/p>\n
The non-profit Open World Application Security Project (OWASP) describes how XSS vulnerability works<\/a>:<\/p>\n “An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way of knowing that the script is not to be trusted and will execute the script.<\/p>\n Because it believes the script is from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information held by the browser and used with that site.<\/p>\n A stored XSS, which is possibly worse, is one where the malicious script is stored on the website’s own servers.<\/p>\n The plugin, MonsterInsights – Google Analytics Dashboard for WordPress, was found to have the stored XSS version of the vulnerability.<\/p>\n The Google Analytics MonsterInsights plugin is installed on more than three million websites, making this vulnerability even more concerning.<\/p>\n WordPress security company Patchstack, which discovered the vulnerability, details published<\/a>:<\/strong><\/p>\n \u201cRafie Muhammad (Patchstack) discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Google Analytics by MonsterInsights Plugin.<\/p>\n This could allow a malicious actor to inject malicious scripts such as redirects, ads, and other HTML payloads into your website, which will be executed when guests visit your site.<\/p>\n This vulnerability has been fixed in version 8.14.1.<\/p>\n The MonsterInsights plugin changelog<\/a> in the WordPress plugin repository offered a somewhat vague explanation of the security patch:<\/p>\n “Fixed: Fixed a PHP warning bug and added additional security reinforcement.”<\/p>\n A “security hardening” is a term that can be applied to many tasks related to reducing attack vectors, such as removing the version number.<\/p>\n WordPress has published a full page on tightening security<\/a> which recommends security-enhancing tasks such as regular database backups, obtaining themes and plugins from trusted sources, and using strong passwords.<\/p>\n All these activities are tightening security.<\/p>\n This is why the use of the phrase “security hardening” is a general, generic term used for something as specific (and important) as patching an XSS security vulnerability, which could lead to a user to skip updating their plugin.<\/p>\n Patchstack recommends that all users of the MonsterInsights Analytics plugin immediately update their WordPress plugin to the latest version or at least version 8.14.1.<\/p>\n Read the US National Vulnerability Database announcement:<\/strong><\/p>\n CVE-2023-23999 Detail<\/a><\/p>\n Read Patchstack’s announcement:<\/strong><\/p>\nMonsterInsights \u2013 Google Analytics Dashboard for WordPress Vulnerability<\/h2>\n
Recommended action<\/h2>\n