WordPress Astra Theme Vulnerability Affects +1 Million Sites via @sejournal, @martinibuster

One of the World’s astir fashionable WordPress themes softly patched a information vulnerability implicit the play that information researchers accidental appears to person spot a stored XSS vulnerability.

The authoritative Astra changelog offered this mentation of the information release:

“Enhanced Security: Our codebase has been strengthened to further support your website.”

Their changelog, which documents changes to the codification that’s included successful each update, offers nary accusation astir what the vulnerability was oregon the severity of it.  Theme users frankincense can’t marque an informed determination arsenic to whether to update their taxable arsenic soon arsenic imaginable oregon to behaviour tests archetypal earlier updating to insure that the updated taxable is compatible with different plugins successful use.

SEJ reached retired to the Patchstack WordPress information institution who verified that Astra whitethorn person patched a cross-site scripting vulnerability.

Brainstorm Force Astra WordPress Theme

Astra is 1 of the world’s astir fashionable WordPress theme. It’s a escaped taxable that’s relatively  lightweight, casual to usage and results successful nonrecreational looking websites. It adjacent has Schema.org structured information integrated wrong it.

Cross-Site Scripting Vulnerability (XSS)

A cross-site scripting vulnerability is 1 of the astir communal benignant of vulnerabilities recovered connected WordPress that mostly arises wrong 3rd enactment plugins and themes. It’s a vulnerability that occurs erstwhile there’s a mode to input information but the plugin oregon taxable doesn’t sufficiently filter what’s being input oregon output which tin subsequently let an attacker to upload a malicious payload.

This peculiar vulnerability is called a stored XSS. A stored XSS is alleged due to the fact that it involves straight uploading the payload to the website server and stored.

The non-profit Open Worldwide Application Security Project (OWASP) website offers the pursuing description of a stored XSS vulnerability:

“Stored attacks are those wherever the injected publication is permanently stored connected the people servers, specified arsenic successful a database, successful a connection forum, visitant log, remark field, etc. The unfortunate past retrieves the malicious publication from the server erstwhile it requests the stored information. Stored XSS is besides sometimes referred to arsenic Persistent oregon Type-II XSS.”

Patchstack Review Of Plugin

SEJ contacted Patchstack who promptly reviewed the changed files and identified a imaginable taxable information contented successful 3 WordPress functions. WordPress functions are codification that tin alteration however WordPress features behave specified arsenic changing however agelong an excerpt is. Functions tin adhd customizations and present caller features to a theme.

Patchstack explained their findings:

“I downloaded mentation 4.6.9 and 4.6.8 (free version) from the WordPress.org repository and checked the differences.

It seems that respective functions person had a alteration made to them to flight the instrumentality worth from the WordPress relation get_the_author.

This relation prints the “display_name” spot of a user, which could incorporate thing malicious to extremity up with a cross-site scripting vulnerability if printed straight without utilizing immoderate output escaping function.

The pursuing functions person had this alteration made to them:

If, for example, a contributor wrote a station and this contributor changes their show sanction to incorporate a malicious payload, this malicious payload volition beryllium executed erstwhile a visitant visits that leafage with their malicious show name.”

Untrusted information successful the discourse of XSS vulnerabilities successful WordPress tin hap wherever a idiosyncratic is capable to input data.

These processes are called Sanitization, Validation, and Escaping, 3 ways of securing a WordPress website.

Sanitization tin beryllium said to beryllium a process that filters input data. Validation is the process of checking what’s input to find if it’s precisely what’s expected, similar substance alternatively of code. Escaping output makes definite that thing that’s output, specified arsenic idiosyncratic input oregon database content, is harmless to show successful the browser.

WordPress information institution Patchstack identified changes to functions that flight information which successful crook gives clues arsenic to what the vulnerability is and however it was fixed.

Patchstack Security Advisory

It’s chartless whether a 3rd enactment information researcher discovered the vulnerability oregon if Brainstorm, the makers of the Astra theme, discovered it themselves and patched it.

The authoritative Patchstack advisory offered this information:

“An chartless idiosyncratic discovered and reported this Cross Site Scripting (XSS) vulnerability successful WordPress Astra Theme. This could let a malicious histrion to inject malicious scripts, specified arsenic redirects, advertisements, and different HTML payloads into your website which volition beryllium executed erstwhile guests sojourn your site. This vulnerability has been fixed successful mentation 4.6.9.”

Patchstack assessed the vulnerability arsenic a mean menace and assigned it a people of 6.5 connected a standard of 1 – 10.

Wordfence Security Advisory

Wordfence besides conscionable published a security advisory.  They analyzed the Astra files and concluded:

“The Astra taxable for WordPress is susceptible to Stored Cross-Site Scripting via a user’s show sanction successful each versions up to, and including, 4.6.8 owed to insufficient input sanitization and output escaping. This makes it imaginable for authenticated attackers, with contributor-level entree and above, to inject arbitrary web scripts successful pages that volition execute whenever a idiosyncratic accesses an injected page.”

It’s mostly recommended that users of the taxable update their installation but it’s besides prudent to trial whether the updated taxable doesn’t origin errors earlier pushing it to a unrecorded website.

Featured Image by Shutterstock/GB_Art