Vulnerability found in WordPress anti-malware firewall

A popular WordPress anti-malware plugin has been discovered to have a mirrored cross-site scripting vulnerability. This is a type of vulnerability that could allow an attacker to compromise an administrator-level user of the affected website.

Affected WordPress plugin

The plugin discovered to contain the vulnerability is Anti-Malware Security and Brute-Force Firewall, which is used by more than 200,000 websites.

Anti-Malware Security and Brute-Force Firewall is a plugin that defends a website as a firewall (to block incoming threats) and as a security scanner, to check for security threats in the form of hacks. backdoor and database injections.

A premium version defends websites against brute force attacks that attempt to guess password and usernames and protects against DDoS attacks.

Cross-site scripting vulnerability reflected

This plugin was found to contain a vulnerability that allowed an attacker to launch a Reflected Cross-Site Scripting (Reflected XSS) attack.

A cross-site scripting vulnerability reflected in this context is one where a WordPress website does not properly limit what can be entered into the site.

Not restricting (sanitizing) what is downloaded is essentially leaving the front door of the website unlocked and allowing virtually anything to be downloaded.

A hacker takes advantage of this vulnerability by uploading a script and having the website reflect it.

When someone with admin-level permissions visits a compromised URL created by the attacker, the script is activated with admin-level permissions stored in the victim’s browser.

The WPScan Anti-Malware Security and Brute-Force Firewall report describes the vulnerability:

“Plugin does not clean up and escape QUERY_STRING before returning it in an admin page, leading to reflected cross-site scripting in non-character-encoding browsers”

The US Government’s National Vulnerability Database has not yet assigned this vulnerability a severity level score.

The vulnerability in this plugin is called a reflected XSS vulnerability.

There are other types of XSS vulnerabilities, but these are three main types:

  • Stored Cross-Site Scripting (Stored XSS) Vulnerability
  • Blind Cross-Site Scripting (Blind XSS)
  • reflected XSS

In a stored XSS vulnerability and a blind XSS vulnerability, the malicious script is stored on the website itself. These are generally considered a higher threat because it’s easier to get an admin-level user to trigger the script. But these are not the ones that were discovered in the plugin.

In a mirrored XSS, which was discovered in the plugin, someone with admin-level credentials should be tricked into clicking a link (e.g. from an email) which then mirrors the payload malware from the website.

The non-profit Open Web Application Security Project (OWASP) describes a reflected XSS like this:

“Reflected attacks are those where the injected script is reflected back to the web server, such as in an error message, search result, or other response that includes some or all of the input sent to the server as part of the request.

Thoughtful attacks are delivered to victims through another channel, such as in an email message or on another website.

Update to version 4.20.96 recommended

It is generally recommended to have a backup of your WordPress files before updating a plugin or theme.

Version 4.20.96 of the WordPress Anti-Malware Security and Brute-Force Firewall plugin contains a fix for the vulnerability.

It is recommended that plugin users consider updating their plugin to version 4.20.96.

Quotes

Read US Vulnerability Database Details

CVE-2022-0953 Detail

Read the WPScan Vulnerability Report

Brute-Force anti-malware and firewall security

Read the official changelog which documents the fixed version

Anti-Malware Security and Brute-Force Firewall Changelog

Esther L. Gunn