Connect with us

Hi, what are you looking for?



Persistent XSS Flaws Patched in Popular WordPress Plugins

Persistent cross-site scripting (XSS) vulnerabilities were patched over the past several days in three popular WordPress plugins, including Activity Log, All in One SEO Pack, and WP Live Chat Support.

Persistent cross-site scripting (XSS) vulnerabilities were patched over the past several days in three popular WordPress plugins, including Activity Log, All in One SEO Pack, and WP Live Chat Support.

Of the three, the XSS in All in One SEO Pack is the security issue with the highest impact, given that the plugin has over one million installs and is reportedly the most downloaded plugin for WordPress. Designed to help site admins to automatically optimize their site for search engines, the All in One SEO Pack contains a bug in the Bot Blocker functionality.

David Vaartjes, who discovered the vulnerability, explains in an advisory that an attacker exploiting the issue could steal Administrators’ session tokens or perform arbitrary actions on their behalf. The researcher also explains that “an anonymous user can simply store his XSS payload in the Admin dashboard by just visiting the public site with a malformed User Agent or Referrer header.”

The Bot Blocker functionality allows admins to prevent certain bots from accessing / crawling the website. Bots are detected based on User Agent and Referrer header patterns, and a 404 is returned when a request is blocked. A “Track Blocked Bots” setting allows for blocked requests to be logged in the HTML page, but the logging is performed without proper sanitization or output encoding, allowing XSS, the researcher found.

The vulnerability was tested in All in One SEO Pack version, but Semper Fi Web Design, the plugin’s developer, has released a fix for it in version 2.3.7 last week. Admins using the plugin are advised to update their installation as soon as possible or to disable the “Track Blocked Bots” setting to ensure they are protected.

The stored XSS bugs in Activity Log and WP Live Chat Support plugins were both discovered by the same researcher, Han Sahin, and both can be exploited to inject malicious JavaScript code into the application. Although not as popular as SEO Pack, these plugins still have 30,000+ and 20,000+ installations, respectively, putting tens of thousands of users at risk.

Activity Log doesn’t sufficiently check input supplied to the X-Forwarded-For HTTP header and fails to encode the output when the input is presented in a “wrong password event,” which results in the malicious request to be stored in the Activity Log page. An attacker can exploit the flaw to steal victims’ session tokens or login credentials, perform arbitrary actions on their behalf, and log their keystrokes or deliver malware, the bug’s advisory reveals.

The WP Live Chat Support plugin uses the Referrer header to present the current page on which the chat is initiated to backend (wp-admin) chat users, but doesn’t properly output encode the URL retrieved from the database, which results in a persistent XSS, the advisory reads. The flaw allows an attacker to perform actions on behalf of a logged on WordPress user, such as stealing victims’ session tokens or login credentials, performing arbitrary actions on their behalf, and logging keystrokes.

Advertisement. Scroll to continue reading.

WordPress Activity Log version 2.3.1 and WP Live Chat Support version 6.2.00 were found to be vulnerable, but both vulnerabilities were resolved in version 2.3.2 of Activity Log and version 6.2.02 of the WP Live Chat Support plugin. As always, admins are advised to update their installations as soon as possible.

Related: Backdoor in WordPress Plugin Steals Admin Credentials

Related: Hacked WordPress Sites Target Random Users

Written By

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Digital executive protection services provider BlackCloak has appointed Ryan Black as CISO.

Joe Levy has been appointed Sophos' permanent CEO, and Jim Dildine has been named the company's CFO.

CISA executive assistant director for cybersecurity Eric Goldstein is leaving the agency after more than three years.

More People On The Move

Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.