XSS MAY 2021 – Cross-Site Scripting MAY 2021
Tailored WordPress Security Report
Be informed about the latest Cross-Site Scripting MAY 2021, identified and reported publicly. As these XSS MAY 2021 vulnerabilities have a severe negative impact on any WordPress Security, consider our FREE security AUDIT.
An estimated jaw-dropping 2.176.000+ active WordPress installations were susceptible to these attack types, considering only the publicly disclosed and available numbers. The estimated number can increase by 20-25% with premium versions as they are private purchases.
Furthermore, the initial estimation can triple if we consider (1) the already patched versions BUT NOT UPDATED by owners, as the vulnerability remains active within their domain; and (2) the closed “uncounted” versions remain active on domains already running the plugins, as nobody is maintaining security. As these owners start changing their hosting provider (due to constant unexplained issues), they actively migrate these vulnerabilities behind new / protected areas, possibly exposing other clean WP to different attack types.
It is a 109% increase compared to December 2020. We compare last month versus previous winter holiday season, which has the biggest shopping traffic and attack spike throughout the year. Read more about our previous reports here: ALERT: 52 XSS APR 2021 – Cross-Site Scripting APR 2021 Blast and 11 XSS – Cross-Site Scripting – WordPress Security DEC. The following cases made headlines PUBLICLY just last month in the XSS MAY 2021 category:
- Autoptimize < 2.8.4 – Authenticated Stored Cross-Site Scripting (XSS)
- Cookie Law Bar <= 1.2.1 – Authenticated Stored Cross-Site Scripting (XSS)
- A simple and lightweight cookie law WordPress plugin for show information that your website uses cookie. Perfect for implementation of EU cookie law! Active installations: 5,000+
- Database Backup for WordPress < 2.4 – Authenticated Persistent Cross-Site Scripting (XSS)
- DSGVO All in one for WP < 4.0 – Unauthenticated Stored Cross-Site Scripting (XSS)
- Bring WordPress up to date according to the General Data Protection Regulation GDPR. Active installations: 20,000+
- easy-preloader <= 1.0.0 – Authenticated Stored Cross-Site Scripting (XSS)
- This plugin has been closed as of May 4, 2022 and is not available for download. This closure is temporary, pending a full review.
- Best Image Gallery & Responsive Photo Gallery – FooGallery < 2.0.35 – Authenticated Stored Cross-Site Scripting
- Make gallery management in WordPress great again! With FooGallery you can easily add a stunning photo gallery to your website in minutes. Active installations: 200,000+
- Funnel Builder by CartFlows – Create High Converting Sales Funnels For WordPress < 1.6.13 – Authenticated Stored XSS via FB Pixel ID and Google Analytics ID
- Funnels are the most effective way to sell products & services. We created CartFlows, a WordPress Funnel Builder, to help every website owner get more leads, increase conversions, & maximize profits. Active installations: 200,000+
- gallery-from-files <= 1.6.0 – Reflected Cross-Site Scripting (XSS)
- This plugin has been closed as of May 24, 2022 and is not available for download. This closure is temporary, pending a full review.
- Hana Flv Player <= 3.1.3 – Authenticated Stored Cross-Site Scripting (XSS)
- Now you can easily embed the FLV Flash videos in your WordPress Blog. I have packaged the three FLV Flash player – OS FLV , FlowPlayer v2, v3, and v5 , and MediaElement.js (for HTML5 player support). So you can use them freely without worries even for the commercial purpose unlike the JW player. Active installations: 4,000+
- hotjar-connecticator <= 1.1.1 – Authenticated Stored Cross-Site Scripting (XSS)
- Active installations: This plugin has been closed as of May 5, 2022 and is not available for download. This closure is temporary, pending a full review.
- iflychat <= 4.6.4 – Authenticated Stored Cross-Site Scripting (XSS)
- This plugin has been closed as of May 10, 2022 and is not available for download. This closure is temporary, pending a full review.
- Instant Images – One Click Unsplash Uploads < 184.108.40.206 – Authenticated Stored XSS & XFS
- Instantly upload photos from Unsplash to your website without leaving WordPress! Active installations: 70,000+
- LMS by LifterLMS – Online Course, Membership & Learning Management System Plugin for WordPress < 4.21.1 – Authenticated Stored XSS in Edit Profile
- LMS by LifterLMS – Online Course, Membership & Learning Management System Plugin for WordPress < 4.21.1 – Reflected Cross-Site Scripting (XSS) via Coupon Code in Checkout
- LifterLMS is a powerful WordPress LMS plugin that makes it easy to create, sell, and protect engaging online courses and training based membership websites. Active installations: 10,000+
- Photo Gallery by 10Web – Mobile-Friendly Image Gallery < 1.5.67 – Authenticated Stored Cross-Site Scripting via Gallery Title
- Photo Gallery is the leading plugin for building beautiful mobile-friendly galleries in a few minutes. Active installations: 300,000+
- PickPlugins Product Slider for WooCommerce < 1.13.22 – Reflected Cross-Site Scripting (XSS)
- PickPlugins Product Slider is easy and user friendly carousel slider for WooCommerce products, You can create unlimited product slider by this plugin and display anywhere via shortcodes. We added layout builder for your product slider to build as you want, easy to customize and add your own CSS via layout editor you can build some fancy and unique layout. No coding is required to build custom layout and add elements to layout. we added tons of option to handle slider functionality to control slide speed, display or hide navigations and dots. Active installations: 20,000+
- ReDi Restaurant Reservation < 21.0426 – Unauthenticated Stored Cross-Site Scripting (XSS)
- The one and only fully automated reservation system. Real time available seats check with instant reservation confirmation for your guests. Don’t spent anymore time for manually reviewing and confirming reservations. Turn your web site visitors into restaurant’s guests. Don’t let your guest wait, surprise him with instant confirmation. Active installations: 1,000+
- Simple Giveaways – Grow your business, email lists and traffic with contests < 2.36.2 – Unauthenticated Reflected Cross-Site Scripting (XSS)
- Simple Giveaways helps you host giveaways which is entirely what this plugin is all about. You can host them on a separate page and also drive people to it through widgets & shortcodes. Active installations: 1,000+
- Smooth Scroll Page Up/Down Buttons < 1.4 – Authenticated Stored XSS
- The Smooth Page Scroll Up/Down Buttons plugin for WordPress adds buttons to every page of your site, that can be used to (smoothly) scroll up or down exactly one screen/page at a time. This can be particularly handy for pages with a lot of text/content, or in cases wherever a browser’s scrollbar is just not good enough (or not present at all, like on tablets) to enable one-click, one-screen scrolling. Active installations: 5,000+
- stock-in <= 1.0.4 – Reflected Cross-Site Scripting (XSS)
- This plugin has been closed as of April 29, 2022 and is not available for download. This closure is temporary, pending a full review.
- Target First Plugin 2.0 – Unauthenticated Stored XSS via Licence Key
- The Target First WordPress Plugin, also previously known as Watcheezy, suffered from a critical unauthenticated stored XSS vulnerability. Active installations: Not public info
- The Plus Addons for Elementor < 4.1.12 – Reflected Cross-Site Scripting (XSS)
- Collection of 100+ Powerful Elementor Widgets, 18+ Templates, 300+ UI Blocks and Amazing Listing Builder for Post Types to surprise your clients with amazing Websites. Active installations: Not public info
- Ultimate Member – User Profile, User Registration, Login & Membership Plugin < 2.1.20 – Authenticated Reflected Cross-Site Scripting (XSS)
- Ultimate Member is the #1 user profile & membership plugin for WordPress. The plugin makes it a breeze for users to sign-up and become members of your website. The plugin allows you to add beautiful user profiles to your site and is perfect for creating advanced online communities and membership sites. Lightweight and highly extendible, Ultimate Member will enable you to create almost any type of site where users can join and become members with absolute ease. Active installations: 200,000+
- visitors-app <= 0.3 – Unauthenticated Stored Cross-Site Scripting (XSS)
- This plugin has been closed as of May 26, 2022 and is not available for download. This closure is temporary, pending a full review.
- Weekly Schedule < 3.4.3 – Authenticated Stored XSS
- The purpose of this plugin is to allow users to create one or more schedules of weekly events and display these schedule on one or more pages as tables. Users can style their schedules using stylesheets based on the category of items and can assign information to items that will be displayed in a tooltip. Active installations: 600+
- WP Customer Reviews < 3.5.6 – Authenticated Stored Cross-Site Scripting (XSS)
- There are many sites that are crawling for user-generated reviews now, including Google Places and Google Local Search. WP Customer Reviews allows you to setup a specific page on your blog to receive customer testimonials for your business/service OR to write reviews about a product. Active installations: 40,000+
- wp-prayer < 1.6.2 – Authenticated Stored Cross-Site Scripting (XSS)
- This plugin has been closed as of June 1, 2022 and is not available for download. This closure is temporary, pending a full review.
BRIEF: Cross-Site Scripting MAY 2021 is a type of security vulnerability typically found in web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy.
What is Cross-Site Scripting MAY 2021?
Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.
An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page.
What is the impact of a XSS MAY 2021 attack?
The actual impact of an XSS attack generally depends on the nature of the application, its functionality and data, and the status of the compromised user. For example:
– In a simple public application, where all users are anonymous and all information is public, the impact will often be minimal. Nothing else to steal.
– In an application holding sensitive or private/personal data, such as banking transactions, emails, or healthcare records, the impact will usually be serious.
– If the compromised user has elevated privileges within the application, then the impact will generally be critical, allowing the attacker to take full control of the vulnerable application and compromise all users, owners and their data.
What kind of XSS attacks are exploited?
– Reflected XSS, where the malicious script comes from the current HTTP request.
– Stored XSS, where the malicious script comes from the website’s database.
– DOM-based XSS, where the vulnerability exists in client-side code rather than server-side code.