A flaw recently discussed in the WP Product Review Lite WordPress plugin could be misused to hack websites by unauthenticated attackers.
WP Product Review Lite is designed to create reviews of products on WordPress websites. It supports the creation of a top rating widget for the goods and also allows for monetization by inserting a “buy now” button in articles. More than 40,000 installations are on the plugin.
Last week, the development team behind the plugin discussed an unauthenticated persistent Cross-Site Scripting (XSS) vulnerability which could have been abused to insert code into all product pages of a website.
The problem, explains Sucuri security researchers, is that while all user input data is sanitized, one of the WordPress functions used can be bypassed if the attacker sets a parameter inside an HTML attribute.
“A successful attack results in the insertion of malicious scripts into all goods on the web,” the researchers explain.
Without authentication, an attack can be launched which means threat actors can automate attacks, warns Sucuri. It makes launching attacks against a large number of vulnerable websites simple for cyber-criminals.
“What makes this vulnerability particularly dangerous is the number of active installations, the ease of exploitation, and the consequences of a successful attack,” the researchers note.
The vulnerability was identified by Sucuri on May 13 and a patch was released the following day, with WP Product Review Lite version 3.7.6.
Although no active exploitation attempts have been observed, the security researchers recommend that website administrators upgrade to the patched version as soon as possible, as older plugin iterations remain vulnerable to attacks and potential compromise.