In another vulnerability that could have serious repercussions, cybersecurity researchers discovered a cross-site scripting (XSS) bug in the NextScripts: Social Networks Auto-Poster plugin for WordPress. The plugin is used to automatically post website posts to any of the configured social media accounts in a fully automated manner. Discovered by Ramuel Gall of Wordfence, the vulnerability in the popular WordPress plugin with over 100.000 installations allowed for a clever cross-site scripting attack. "As with all XSS attacks, malicious JavaScript executed in an admin session could be used to add malicious admin users or insert backdoors into a site and thus be used for site takeover," Gall observes. .
superglobal rarity
While explaining the bug, Gall points out that the XSS vulnerability arose because of a relatively obscure quirk in the way PHP handles superglobal variables. “This meant that it was possible to run JavaScript in a logged-in administrator's browser by pressing them to visit an autosubmission form that sent a POST request to their site,” Gall explains. The vulnerability was disclosed to the plugin developer in August and a fixed plugin update was released in early October. Wordfence suggests that all users of the plugin update to its latest version to prevent abuse of their WordPress websites. You can use these WordPress website builders to get your website up and running in no time, but don't forget to protect it with these WordPress security plugins.