The SiteOrigin Widgets Bundle WordPress plugin, with over 600,000 installations, has patched an authenticated stored cross-site scripting (XSS) vulnerability. This flaw could have allowed attackers to upload arbitrary files and expose site visitors to harmful scripts.
SiteOrigin Widgets Bundle Plugin
The SiteOrigin Widgets plugin, boasting over 600,000 active installations, enables users to easily add various widget functions such as sliders, carousels, maps, and customized blog post displays, along with other useful webpage elements.
Stored Cross-Site Scripting Vulnerability
A Cross-Site Scripting (XSS) vulnerability allows hackers to inject malicious scripts. In the context of WordPress plugins, these vulnerabilities typically stem from improper sanitization (filtering for untrusted data) and inadequate securing of output data (escaping data).
This particular XSS vulnerability is termed “Stored XSS” because it allows the attacker to inject malicious code directly onto the server. According to the non-profit Open Worldwide Application Security Project (OWASP), the ability to launch an attack directly from the website makes this type of vulnerability particularly concerning.
OWASP describes the stored XSS threat:
“This type of exploit, known as Stored XSS, is particularly insidious because the indirection caused by the data store makes it more difficult to identify the threat and increases the possibility that the attack will affect multiple users.”
In an XSS attack, where a script has been successfully injected, the hacker sends a harmful script to an unsuspecting site visitor. The user’s browser, trusting the website, executes the file, allowing the attacker to access cookies, session tokens, and other sensitive website data.
Vulnerability Description
The vulnerability arose due to flaws in sanitizing inputs and escaping data.
The WordPress developer page for security explains sanitization:
“Sanitizing input is the process of securing/cleaning/filtering input data. Validation is preferred over sanitization because validation is more specific. But when “more specific” isn’t possible, sanitization is the next best thing.”
Escaping data in a WordPress plugin is a security function that filters out unwanted output.
Both of these functions needed improvements in the SiteOrigin Widgets Bundle plugin.
Wordfence described the vulnerability:
“The SiteOrigin Widgets Bundle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the onclick parameter in all versions up to, and including, 1.58.3, due to insufficient input sanitization and output escaping.”
This vulnerability requires authentication to execute, meaning the attacker needs at least contributor-level access to launch an attack.
Recommended Action
The vulnerability has been assigned a medium CVSS severity level, scoring 6.4/10. Plugin users should consider updating to the latest version, 1.58.5, although the vulnerability was initially patched in version 1.58.4.
