1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Poor WordPress documentation trips developers, yields plug-ins with XSS flaw

Discussion in 'Network World' started by RSS, Apr 21, 2015.

  1. RSS

    RSS New Member Member

    Ambiguous WordPress documentation led many plug-in and theme developers to make an error that exposed websites to cross-site scripting (XSS) attacks.

    Such attacks involve tricking a site’s users into clicking on specially crafted URLs that execute rogue JavaScript code in their browsers in the context of that website.

    The impact depends on the user’s role on the website. For example, if victims have administrative privileges, attackers could trigger rogue administrative actions. If victims are regular users, attackers could steal their authentication cookies and hijack their accounts.

    The vulnerability stems from insecure use of two WordPress functions called add_query_arg and remove_query_arg and was discovered recently by researchers from code auditing company Scrutinizer.

    To read this article in full or to leave a comment, please click here

    Continue reading...

Share This Page