One of many World’s hottest WordPress themes quietly patched a safety vulnerability over the weekend that safety researchers say seems to have patch a saved XSS vulnerability.
The official Astra changelog provided this rationalization of the safety launch:
“Enhanced Safety: Our codebase has been strengthened to additional shield your web site.”
Their changelog, which paperwork adjustments to the code that’s included in each replace, presents no details about what the vulnerability was or the severity of it. Theme customers thus can’t make an knowledgeable resolution as as to whether to replace their theme as quickly as attainable or to conduct checks first earlier than updating to insure that the up to date theme is appropriate with different plugins in use.
SEJ reached out to the Patchstack WordPress safety firm who verified that Astra might have patched a cross-site scripting vulnerability.
Brainstorm Pressure Astra WordPress Theme
Astra is likely one of the world’s hottest WordPress theme. It’s a free theme that’s comparatively light-weight, straightforward to make use of and leads to skilled trying web sites. It even has Schema.org structured knowledge built-in inside it.
Cross-Website Scripting Vulnerability (XSS)
A cross-site scripting vulnerability is likely one of the most typical sort of vulnerabilities discovered on WordPress that typically arises inside third occasion plugins and themes. It’s a vulnerability that happens when there’s a strategy to enter knowledge however the plugin or theme doesn’t sufficiently filter what’s being enter or output which might subsequently enable an attacker to add a malicious payload.
This explicit vulnerability known as a saved XSS. A saved XSS is so-called as a result of it includes immediately importing the payload to the web site server and saved.
The non-profit Open Worldwide Utility Safety Undertaking (OWASP) web site presents the next description of a saved XSS vulnerability:
“Saved assaults are these the place the injected script is completely saved on the goal servers, similar to in a database, in a message discussion board, customer log, remark area, and so forth. The sufferer then retrieves the malicious script from the server when it requests the saved info. Saved XSS can be typically known as Persistent or Kind-II XSS.”
Patchstack Overview Of Plugin
SEJ contacted Patchstack who promptly reviewed the modified information and recognized a attainable theme safety difficulty in three WordPress features. WordPress features are code that may change how WordPress options behave similar to altering how lengthy an excerpt is. Features can add customizations and introduce new options to a theme.
Patchstack defined their findings:
“I downloaded model 4.6.9 and 4.6.8 (free model) from the WordPress.org repository and checked the variations.
Evidently a number of features have had a change made to them to flee the return worth from the WordPress perform get_the_author.
This perform prints the “display_name” property of a consumer, which might include one thing malicious to finish up with a cross-site scripting vulnerability if printed immediately with out utilizing any output escaping perform.
The next features have had this modification made to them:
astra_archive_page_info astra_post_author_name astra_post_authorIf, for instance, a contributor wrote a publish and this contributor adjustments their show identify to include a malicious payload, this malicious payload can be executed when a customer visits that web page with their malicious show identify.”
Untrusted knowledge within the context of XSS vulnerabilities in WordPress can occur the place a consumer is ready to enter knowledge.
These processes are referred to as Sanitization, Validation, and Escaping, 3 ways of securing a WordPress web site.
Sanitization could be mentioned to be a course of that filters enter knowledge. Validation is the method of checking what’s enter to find out if it’s precisely what’s anticipated, like textual content as a substitute of code. Escaping output makes positive that something that’s output, similar to consumer enter or database content material, is protected to show within the browser.
WordPress safety firm Patchstack recognized adjustments to features that escape knowledge which in flip provides clues as to what the vulnerability is and the way it was fastened.
Patchstack Safety Advisory
It’s unknown whether or not a 3rd occasion safety researcher found the vulnerability or if Brainstorm, the makers of the Astra theme, found it themselves and patched it.
The official Patchstack advisory provided this info:
“An unknown individual found and reported this Cross Website Scripting (XSS) vulnerability in WordPress Astra Theme. This might enable a malicious actor to inject malicious scripts, similar to redirects, commercials, and different HTML payloads into your web site which can be executed when visitors go to your website. This vulnerability has been fastened in model 4.6.9.”
Patchstack assessed the vulnerability as a medium risk and assigned it a rating of 6.5 on a scale of 1 – 10.
Wordfence Safety Advisory
Wordfence additionally simply revealed a safety advisory. They analyzed the Astra information and concluded:
“The Astra theme for WordPress is susceptible to Saved Cross-Website Scripting through a consumer’s show identify in all variations as much as, and together with, 4.6.8 on account of inadequate enter sanitization and output escaping. This makes it attainable for authenticated attackers, with contributor-level entry and above, to inject arbitrary net scripts in pages that may execute each time a consumer accesses an injected web page.”
It’s typically really useful that customers of the theme replace their set up nevertheless it’s additionally prudent to check whether or not the up to date theme doesn’t trigger errors earlier than pushing it to a stay web site.
See additionally:
Featured Picture by Shutterstock/GB_Art
