Vulnerability in WordPress Google Analytics Plugin Hits +3 Million Websites

The National Vulnerability Database announced that a popular Google Analytics WordPress plugin installed in over 3 million was discovered to contain a Stored Cross-Site Scripting (XSS) vulnerability.

[{"selector":"#anim-62fa2bee-2d7a-4a5d-9b1d-4c10cfbfaa98","keyframes":{"transform":["rotate(-540deg) scale(0.1)","none"],"opacity":[0,1]},"delay":0,"duration":1000,"fill":"both","iterations":1}]

A Cross-Site Scripting (XSS) attack generally occurs when a part of the website that accepts user input is insecure and allows unanticipated input, like scripts or links.

[{"selector":"#anim-765d3d47-adf8-4135-bb35-d18caddc1eec","keyframes":{"transform":["rotate(-540deg) scale(0.1)","none"],"opacity":[0,1]},"delay":0,"duration":1000,"fill":"both","iterations":1}] [{"selector":"#anim-57116719-2dab-4726-b517-3ef872213f20","keyframes":{"transform":["rotate(-540deg) scale(0.1)","none"],"opacity":[0,1]},"delay":0,"duration":1000,"fill":"both","iterations":1}]

The XSS vulnerability can be leveraged to obtain unauthorized access to a website and can lead to user data theft or a full site takeover.

[{"selector":"#anim-26c1a923-48eb-447a-9202-6cfeb4c165e6","keyframes":{"transform":["rotate(-540deg) scale(0.1)","none"],"opacity":[0,1]},"delay":0,"duration":1000,"fill":"both","iterations":1}]

The non-profit Open Worldwide Application Security Project (OWASP) describes how the XSS vulnerability works:

[{"selector":"#anim-f41dc9c4-e6c5-4121-8109-0b6bd4e0637f","keyframes":{"transform":["rotate(-540deg) scale(0.1)","none"],"opacity":[0,1]},"delay":0,"duration":1000,"fill":"both","iterations":1}]

A stored XSS, which is arguably worse, is one in which the malicious script is stored on the website servers itself.

[{"selector":"#anim-793d9261-c18d-4a6f-8c5b-747d98fcb175","keyframes":{"transform":["rotate(-540deg) scale(0.1)","none"],"opacity":[0,1]},"delay":0,"duration":1000,"fill":"both","iterations":1}]

The plugin, MonsterInsights – Google Analytics Dashboard for WordPress, was discovered to have the stored XSS version of the vulnerability.

[{"selector":"#anim-754fbaef-a884-4d99-8ffd-5127a10fc0be","keyframes":{"transform":["rotate(-540deg) scale(0.1)","none"],"opacity":[0,1]},"delay":0,"duration":1000,"fill":"both","iterations":1}]

Vulnerability in WordPress Google Analytics Plugin Hits +3 Million Websites

MonsterInsights Google Analytics WordPress plugin XSS vulnerability affects up to +3 million websites

Brought to you by Trickyenough

The National Vulnerability Database announced that a popular Google Analytics WordPress plugin installed in over 3 million was discovered to contain a Stored Cross-Site Scripting (XSS) vulnerability.

Brought to you by Trickyenough

A Cross-Site Scripting (XSS) attack generally occurs when a part of the website that accepts user input is insecure and allows unanticipated input, like scripts or links.

Stored XSS

Brought to you by Trickyenough

The XSS vulnerability can be leveraged to obtain unauthorized access to a website and can lead to user data theft or a full site takeover.

Brought to you by Trickyenough

The non-profit Open Worldwide Application Security Project (OWASP) describes how the XSS vulnerability works:

Brought to you by Trickyenough

A stored XSS, which is arguably worse, is one in which the malicious script is stored on the website servers itself.

Brought to you by Trickyenough

The plugin, MonsterInsights – Google Analytics Dashboard for WordPress, was discovered to have the stored XSS version of the vulnerability.

Brought to you by Trickyenough