A widely-used WordPress anti-malware plugin has been found to have a reflected cross-site scripting vulnerability, a type of flaw that can enable an attacker to compromise an administrator-level user of the affected website.
Affected WordPress Plugin
The plugin identified with this vulnerability is Anti-Malware Security and Brute-Force Firewall, which is installed on over 200,000 websites.
Anti-Malware Security and Brute-Force Firewall functions as both a firewall, blocking incoming threats, and a security scanner that checks for security issues such as backdoor hacks and database injections.
A premium version offers protection against brute force attacks that aim to guess passwords and usernames and safeguards against DDoS attacks.
Reflected Cross-Site Scripting Vulnerability
This plugin was found to have a vulnerability that permitted an attacker to execute a Reflected Cross-Site Scripting (reflected XSS) attack.
A reflected cross-site scripting vulnerability in this context occurs when a WordPress website does not adequately restrict what can be input into the site.
The lack of proper sanitization (restrictions on uploads) is akin to leaving the website’s front door unlocked and allowing virtually anything to be uploaded.
A hacker exploits this vulnerability by uploading a script and causing the website to reflect it back.
When someone with administrator-level permissions visits a compromised URL created by the attacker, the script is activated with the admin-level permissions stored in the victim’s browser.
The WPScan report on the Anti-Malware Security and Brute-Force Firewall described the vulnerability:
“The plugin does not sanitize and escape the QUERY_STRING before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting in browsers which do not encode characters.”
The United States Government National Vulnerability Database has not yet assigned a severity level score to this vulnerability.
This type of vulnerability is known as a Reflected XSS vulnerability.
There are other types of XSS vulnerabilities, but three primary types are:
- Stored Cross-Site Scripting Vulnerability (Stored XSS)
- Blind Cross-site Scripting (Blind XSS)
- Reflected XSS
In a stored or blind XSS vulnerability, the malicious script is stored on the website itself. These are generally considered a higher threat because it’s easier to get an admin-level user to trigger the script. However, these were not the vulnerabilities discovered in the plugin.
In a reflected XSS, which is the type found in the plugin, a person with admin-level credentials is tricked into clicking a link (for example, from an email) which then reflects the malicious payload from the website.
The Open Web Application Security Project (OWASP) describes a Reflected XSS in this way:
“Reflected attacks are those where the injected script is reflected off the web server, such as in an error message, search result, or any other response that includes some or all of the input sent to the server as part of the request.
Reflected attacks are delivered to victims via another route, such as in an e-mail message, or on some other website.”
Update to Version 4.20.96 Recommended
It is generally advised to have a backup of your WordPress files before updating any plugin or theme.
Version 4.20.96 of the Anti-Malware Security and Brute-Force Firewall WordPress plugin contains a fix for the vulnerability.
Users of the plugin are recommended to update their plugin to version 4.20.96.
Citations
Read the United States Vulnerability Database Details
- CVE-2022-0953 Detail
Read the WPScan Report on the Vulnerability
- Anti-Malware Security and Brute-Force Firewall < 4.20.96 – Reflected Cross-Site Scripting
Read the Official Changelog that Documents the Fixed Version
- Anti-Malware Security and Brute-Force Firewall Changelog
