Cross-site scripting vulnerabilities occur because it’s difficult to sanitize every potential route by which a malicious user might inject code.
Chicago, IL (PRWEB) July 28, 2016
WiredTree, a trusted provider of managed server hosting, has warned users of the popular All In One SEO Pack plugin to update to the most recent version as soon as possible. A flaw in versions older than 2.3.7 could leave sites vulnerable to a cross-site scripting attack that would allow malicious third-parties to take control.
The vulnerability — first reported by Wordfence on July 12 — was quickly fixed by the plugin’s developer, but WiredTree believes many sites may still be vulnerable. The company, which hosts thousands of WordPress sites, wants to raise awareness to reduce the chance of innocent site owners losing control of their websites.
“Cross-site scripting vulnerabilities occur because it’s difficult to sanitize every potential route by which a malicious user might inject code,” says Zac Cogswell, President of WiredTree, “As soon as this vulnerability was discovered, developers fixed the problem and made a patch available. We want to make sure that every WordPress site owner is aware of the problem, and takes the necessary steps to protect their site and their users.”
Cross-site scripting vulnerabilities are among the most common security issues for sites that accept user-generated content. In this case, the problem lies with functionality intended to block access to so-called bad bots. When the feature blocks a malicious bot, it displays the HTTP request sent by the bot in the WordPress site’s dashboard. Because the request is not sanitized, a maliciously crafted request could include code, which, when the dashboard is loaded by an administrator, would send sensitive data, including authentication cookies, to the attacker.
Mitigating the risk of the attack is simple: WordPress site owners must update the plugin from their WordPress administrative dashboard.
WiredTree specializes in delivering managed hosting experience that places the client in complete command; covering virtual, hybrid, and dedicated web hosting. As champions of customer care, it’s no wonder that more than 5,000 clients enjoy WiredTree’s free hardware level-ups and a <15 minute average ticket response time. All of this is built on top of only the highest-performing technologies, including LiteSpeed web server, MariaDB, memcached, SSD-driven hardware, and an in-house management system called Grove. To learn more about what WiredTree can do for your site, visit http://www.wiredtree.com.