A couple of weeks ago, a WordPress Plugin called WP Product Review was discovered to contain a cross-site scripting (XSS) vulnerability.
This is a classic case of putting usability before security – failing to do validation checks on user input. Securi – who discovered the bug – went on to say:
“All user input data is sanitized but the WordPress function used can be bypassed when the parameter is set inside an HTML attribute,” we’re told. “A successful attack results in malicious scripts being injected in all the site’s products.”
It is believed about 40,000 sites have this particular plugin installed so if you own such a site, you are encouraged to update to version 3.7.6 or later of WP Product Review at the earliest opportunity.
This type of attack is potentially very serious because it is an unauthenticated attack, meaning it is not necessary to have an account on the site and the whole operation can be automated.
Stay safe, people.