WordPress Autoptimize Plugin Vulnerability Affects +1 Million Sites

WordPress optimization plugin Autoptimize recently updated to fix a Stored XSS vulnerability. Publishers who use the plugin are advised to update immediately to reduce the possibility of an exposure to a hacking event.

Stored XSS Vulnerability

A Stored Cross-Site Scripting (XSS) vulnerability is when the software has a flaw that allows a hacker to upload a malicious file that can then attack someone else who visits the site.

There are different kinds of stored XSS vulnerabilities and it isn’t clear which kind this is.

However, depending on where the malicious file is uploaded, this type of vulnerability can be especially problematic when someone with admin level privileges visits the site and receives the payload, which can lead to a total site takeover.

According to the United States government National Institute of Standards and Technology, a U.S. Commerce Department website, the following is how a cross site scripting exploit is defined:

“A vulnerability that allows attackers to inject malicious code into an otherwise benign website.

These scripts acquire the permissions of scripts generated by the target website and can therefore compromise the confidentiality and integrity of data transfers between the website and client.

Websites are vulnerable if they display user supplied data from requests or forms without sanitizing the data so that it is not executable. “

This is called a “stored” XSS vulnerability because the malicious file is stored on the website itself. Of the different kinds of XSS

Vulnerability Rating

Vulnerabilities are rated using an open source standard called Common Vulnerability Scoring System (CVSS). A vulnerability score is commonly referred to using CVSS version 3.1.

This is how the vulnerability standard is described:

“The Common Vulnerability Scoring System (CVSS) is an open framework for communicating the characteristics and severity of software vulnerabilities. “

The vulnerability affecting Autoptimize is called an Authenticated Stored XSS vulnerability which means that a hacker must be logged in to the site in order to take advantage of the flaw.

That may be a contributing reason for why the severity level of the Autoptimize WordPress Plugin vulnerability has been rated as medium, with a score of 5.4 on a scale of 1 to 10.

Autoptimize Changelog

A changelog is a log of all the changes that a software makes with every update. It typically states a version, sometimes the date of the version and the changes contained within the update.

According to the official Autoptimize Changelog, the latest version is 2.8.4 which fixes the vulnerability.

“2.8.4
fix for an authenticated XSS vulnerability”

While this is a vulnerability that’s rated as medium, it’s still recommended that all publishers who use this plugin update it immediately in order to stay safe.

Citations

Documentation of Autoptimize Vulnerability at Patchstack Security Site

Official Autoptimize Changelog

#