A popular WordPress anti-malware plugin was discovered to have a reflected cross-site scripting vulnerability. This is a type of vulnerability that can allow an attacker to compromise an administrator level user of the affected website.
Affected WordPress Plugin
The plugin discovered to contain the vulnerability is Anti-Malware Security and Brute-Force Firewall, which is used by over 200,000 websites.
Anti-Malware Security and Brute-Force Firewall is a plugin that defends a website as a firewall (to block incoming threats) and as a security scanner, to check for security threats in the form of backdoor hacks and database injections.
A premium version defends websites against brute force attacks that try to guess password and usernames and protects against DDoS attacks.
Reflected Cross-Site Scripting Vulnerability
This plugin was found to contain a vulnerability that allowed an attacker to launch a Reflected Cross-Site Scripting (reflected XSS) attack.
A reflected cross-site scripting vulnerability in this context is one in which a WordPress website does not properly limit what can be input into the site.
That failure to restrict (sanitize) what is being uploaded is essentially like leaving the front door of the website unlocked and allowing virtually anything to be uploaded.
A hacker takes advantage of this vulnerability by uploading a script and having the website reflect it back.
When someone with administrator level permissions visits a compromised URL created by the attacker, the script is activated with the admin-level permissions stored in the victim’s browser.
The WPScan report on the Anti-Malware Security and Brute-Force Firewall described the vulnerability:
“The plugin does not sanitise and escape the QUERY_STRING before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting in browsers which do not encode characters”
The United States Government National Vulnerability Database has not yet assigned this vulnerability a severity level score.
The vulnerability in this plugin is called a Reflected XSS vulnerability.
There are other kinds of XSS vulnerabilities but these are three main types:
- Stored Cross-Site Scripting Vulnerability (Stored XSS)
- Blind Cross-site Scripting (Blind XSS)
- Reflected XSS
In a stored XSS a Blind XSS vulnerability, the malicious script is stored on the website itself. These are generally considered a higher threat because it’s easier to get an admin level user to trigger the script. But these are not the kind that were discovered in the plugin.
In a reflected XSS, which is what was discovered in the plugin, a person with admin level credentials has to be tricked into clicking a link (for example from an email) which then reflects the malicious payload from the website.
The non-profit Open Web Application Security Project (OWASP) describes a Reflected XSS like this:
“Reflected attacks are those where the injected script is reflected off the web server, such as in an error message, search result, or any other response that includes some or all of the input sent to the server as part of the request.
Reflected attacks are delivered to victims via another route, such as in an e-mail message, or on some other website.”
Update to Version 4.20.96 Recommended
It is generally recommended to have a backup of your WordPress files before updating any plugin or theme.
Version 4.20.96 of the Anti-Malware Security and Brute-Force Firewall WordPress plugin contains a fix for the vulnerability.
Users of the plugin are recommended to consider updating their plugin to version 4.20.96.
Read the United States Vulnerability Database Details
Read the WPScan Report on the Vulnerability
Anti-Malware Security and Brute-Force Firewall < 4.20.96 – Reflected Cross-Site Scripting
Read the Official Changelog that Documents the Fixed Version
Anti-Malware Security and Brute-Force Firewall Changelog