One of the world’s most popular WordPress themes quietly addressed a security vulnerability over the weekend, which security researchers indicate may have fixed a stored XSS vulnerability.
The official Astra changelog offered this explanation of the security release:
“Enhanced Security: Our codebase has been strengthened to further protect your website.”
Their changelog, which documents changes to the code included in every update, offers no information about the specifics or severity of the vulnerability. As a result, theme users can’t make an informed decision on whether to update their theme immediately or conduct tests first to ensure the updated theme is compatible with other plugins in use.
Security researchers confirmed that Astra may have patched a cross-site scripting vulnerability.
Brainstorm Force Astra WordPress Theme
Astra is one of the world’s most popular WordPress themes. It’s a free, lightweight, easy-to-use theme that enables the creation of professional-looking websites. It even integrates Schema.org structured data.
Cross-Site Scripting Vulnerability (XSS)
A cross-site scripting vulnerability is one of the most common types of vulnerabilities found on WordPress, typically arising within third-party plugins and themes. It occurs when there is a way to input data but the plugin or theme doesn’t adequately filter the input or output, potentially allowing an attacker to upload a malicious payload.
This particular vulnerability is called stored XSS. A stored XSS involves directly uploading the payload to the website server, where it is stored.
The non-profit Open Worldwide Application Security Project (OWASP) provides the following description of a stored XSS vulnerability:
“Stored attacks are those where the injected script is permanently stored on the target servers, such as in a database, in a message forum, visitor log, comment field, etc. The victim then retrieves the malicious script from the server when it requests the stored information. Stored XSS is also sometimes referred to as Persistent or Type-II XSS.”
Patchstack Review Of Plugin
Security researchers promptly reviewed the changed files and identified a possible theme security issue in three WordPress functions. WordPress functions are pieces of code that can modify how WordPress features behave, such as altering the length of an excerpt. Functions can add customizations and introduce new features to a theme.
Patchstack explained their findings:
“I downloaded version 4.6.9 and 4.6.8 (free version) from the WordPress repository and checked the differences.
It seems that several functions have had a change made to them to escape the return value from the WordPress function get_the_author.
This function prints the ‘display_name’ property of a user, which could contain something malicious leading to a cross-site scripting vulnerability if printed directly without using an output escaping function.
The following functions have had this change made to them:
astra_archive_page_info astra_post_author_name astra_post_authorIf, for example, a contributor wrote a post and this contributor changes their display name to contain a malicious payload, this malicious payload will be executed when a visitor visits that page with their malicious display name.”
Untrusted data in the context of XSS vulnerabilities in WordPress can happen where a user is able to input data.
These processes are called Sanitization, Validation, and Escaping, which are three ways of securing a WordPress website.
Sanitization filters input data. Validation checks whether the input is exactly what’s expected, like text instead of code. Escaping output ensures that anything displayed in the browser is safe.
WordPress security company Patchstack identified changes to functions that escape data, giving clues about what the vulnerability was and how it was fixed.
Patchstack Security Advisory
It’s unknown whether a third-party security researcher discovered the vulnerability, or Brainstorm, the makers of the Astra theme, identified and patched it themselves.
The official Patchstack advisory provided this information:
“An unknown person discovered and reported this Cross-Site Scripting (XSS) vulnerability in the WordPress Astra Theme. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website, which will be executed when guests visit your site. This vulnerability has been fixed in version 4.6.9.”
Patchstack assessed the vulnerability as a medium threat and assigned it a score of 6.5 on a scale of 1–10.
Wordfence Security Advisory
Wordfence also published a security advisory, analyzing the Astra files and concluding:
“The Astra theme for WordPress is vulnerable to Stored Cross-Site Scripting via a user’s display name in all versions up to and including 4.6.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with contributor-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.”
It is generally recommended that users of the theme update their installation, but it’s also prudent to test whether the updated theme causes any errors before pushing it to a live website.
See also:
- The WordPress Security Guide To Keep Your Site Safe
- WordPress Security: 16 Steps to Secure & Protect Your Site
Featured Image by Shutterstock/GB_Art
