The National Vulnerability Database has revealed that a widely-used Google Analytics WordPress plugin, installed on over 3 million websites, contains a Stored Cross-Site Scripting (XSS) vulnerability.
Stored XSS
A Cross-Site Scripting (XSS) attack typically occurs when a section of a website that accepts user input is insecure, allowing for unexpected inputs like scripts or links. The XSS vulnerability can be exploited to gain unauthorized access to a website, potentially leading to user data theft or a complete site takeover.
The non-profit Open Worldwide Application Security Project (OWASP) explains how XSS works:
"An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted and will execute the script.
Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site.”
A stored XSS is more severe as the malicious script is stored on the website’s servers.
The plugin, MonsterInsights – Google Analytics Dashboard for WordPress, was found to have the stored XSS variant of this vulnerability.
MonsterInsights – Google Analytics Dashboard for WordPress Vulnerability
The MonsterInsights Google Analytics plugin, installed on over three million websites, makes this vulnerability particularly concerning.
WordPress Security company Patchstack, which discovered the vulnerability, released the following details:
"Rafie Muhammad (Patchstack) discovered and reported this Cross Site Scripting (XSS) vulnerability in the WordPress Google Analytics by MonsterInsights Plugin.
This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site.
This vulnerability has been fixed in version 8.14.1.”
The changelog for the MonsterInsights plugin on the WordPress plugin repository offered a somewhat vague explanation of the security patch:
"Fixed: We fixed a PHP warning error and added additional security hardening.”
"Security hardening" is a term that can apply to various tasks aimed at reducing attack vectors, such as removing version numbers. WordPress has an entire page dedicated to security hardening, which recommends activities like regular database backups, obtaining themes and plugins from trusted sources, and using strong passwords. These actions are all part of security hardening.
However, using the term "security hardening" is general and can be misleading when it comes to something as specific and crucial as patching an XSS security vulnerability. This could lead users to overlook the importance of updating their plugin.
Recommended Action
Patchstack recommends that all users of the MonsterInsights Analytics Plugin update their WordPress plugin immediately to the latest version, or at least to version 8.14.1.
Read the U.S. National Vulnerability Database announcement:
CVE-2023-23999 Detail
Read Patchstack’s announcement:
WordPress Google Analytics by MonsterInsights Plugin <= 8.14.0 is vulnerable to Cross Site Scripting (XSS)
