Security Experts:

Connect with us

Hi, what are you looking for?



Persistent XSS Flaws Patched in Popular WordPress Plugins

Persistent cross-site scripting (XSS) vulnerabilities were patched over the past several days in three popular WordPress plugins, including Activity Log, All in One SEO Pack, and WP Live Chat Support.

Persistent cross-site scripting (XSS) vulnerabilities were patched over the past several days in three popular WordPress plugins, including Activity Log, All in One SEO Pack, and WP Live Chat Support.

Of the three, the XSS in All in One SEO Pack is the security issue with the highest impact, given that the plugin has over one million installs and is reportedly the most downloaded plugin for WordPress. Designed to help site admins to automatically optimize their site for search engines, the All in One SEO Pack contains a bug in the Bot Blocker functionality.

David Vaartjes, who discovered the vulnerability, explains in an advisory that an attacker exploiting the issue could steal Administrators’ session tokens or perform arbitrary actions on their behalf. The researcher also explains that “an anonymous user can simply store his XSS payload in the Admin dashboard by just visiting the public site with a malformed User Agent or Referrer header.”

The Bot Blocker functionality allows admins to prevent certain bots from accessing / crawling the website. Bots are detected based on User Agent and Referrer header patterns, and a 404 is returned when a request is blocked. A “Track Blocked Bots” setting allows for blocked requests to be logged in the HTML page, but the logging is performed without proper sanitization or output encoding, allowing XSS, the researcher found.

The vulnerability was tested in All in One SEO Pack version, but Semper Fi Web Design, the plugin’s developer, has released a fix for it in version 2.3.7 last week. Admins using the plugin are advised to update their installation as soon as possible or to disable the “Track Blocked Bots” setting to ensure they are protected.

The stored XSS bugs in Activity Log and WP Live Chat Support plugins were both discovered by the same researcher, Han Sahin, and both can be exploited to inject malicious JavaScript code into the application. Although not as popular as SEO Pack, these plugins still have 30,000+ and 20,000+ installations, respectively, putting tens of thousands of users at risk.

Activity Log doesn’t sufficiently check input supplied to the X-Forwarded-For HTTP header and fails to encode the output when the input is presented in a “wrong password event,” which results in the malicious request to be stored in the Activity Log page. An attacker can exploit the flaw to steal victims’ session tokens or login credentials, perform arbitrary actions on their behalf, and log their keystrokes or deliver malware, the bug’s advisory reveals.

The WP Live Chat Support plugin uses the Referrer header to present the current page on which the chat is initiated to backend (wp-admin) chat users, but doesn’t properly output encode the URL retrieved from the database, which results in a persistent XSS, the advisory reads. The flaw allows an attacker to perform actions on behalf of a logged on WordPress user, such as stealing victims’ session tokens or login credentials, performing arbitrary actions on their behalf, and logging keystrokes.

WordPress Activity Log version 2.3.1 and WP Live Chat Support version 6.2.00 were found to be vulnerable, but both vulnerabilities were resolved in version 2.3.2 of Activity Log and version 6.2.02 of the WP Live Chat Support plugin. As always, admins are advised to update their installations as soon as possible.

Related: Backdoor in WordPress Plugin Steals Admin Credentials

Related: Hacked WordPress Sites Target Random Users

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.