WordPress optimization plugin Autoptimize recently received an update to fix a Stored XSS vulnerability. Publishers using the plugin should update immediately to mitigate the risk of exposure to hacking events.
### Stored XSS Vulnerability
A Stored Cross-Site Scripting (XSS) vulnerability occurs when software has a flaw that allows a hacker to upload a malicious file, subsequently attacking individuals who visit the site. The specific type of this stored XSS vulnerability remains unclear. However, it can become especially problematic if someone with admin-level privileges visits the site and receives the payload, potentially leading to a total site takeover.
According to the United States government’s National Institute of Standards and Technology, a cross-site scripting exploit is defined as follows:
> “A vulnerability that allows attackers to inject malicious code into an otherwise benign website. These scripts acquire the permissions of scripts generated by the target website and can thus compromise the confidentiality and integrity of data transfers between the website and client. Websites are vulnerable if they display user-supplied data from requests or forms without sanitizing the data, so it is not executable.”
This is termed a “stored” XSS vulnerability because the malicious file is stored on the website itself.
### Vulnerability Rating
Vulnerabilities are rated using an open-source standard called the Common Vulnerability Scoring System (CVSS). A vulnerability score is commonly referred to using CVSS version 3.1. The standard is described as:
> “The Common Vulnerability Scoring System (CVSS) is an open framework for communicating the characteristics and severity of software vulnerabilities.”
The vulnerability affecting Autoptimize is known as an Authenticated Stored XSS vulnerability, meaning a hacker must be logged into the site to exploit the flaw. This requirement contributes to the severity level of the Autoptimize WordPress Plugin vulnerability being rated as medium, with a score of 5.4 on a scale of 1 to 10.
### Autoptimize Changelog
A changelog is a record of all changes made to software with each update. It typically includes the version, sometimes the date of the version, and the changes contained within the update. According to the official Autoptimize Changelog, the latest version is 2.8.4, which fixes the vulnerability:
> “2.8.4
> fix for an authenticated XSS vulnerability”
Although the vulnerability is rated as medium, it is still highly recommended that all publishers using this plugin update it immediately to stay secure.
### Citations
– Documentation of Autoptimize Vulnerability at Patchstack Security Site
– Official Autoptimize Changelog
