One of many World’s hottest WordPress themes quietly patched a safety vulnerability over the weekend that safety researchers say seems to have patch a saved XSS vulnerability.
The official Astra changelog provided this clarification of the safety launch:
“Enhanced Safety: Our codebase has been strengthened to additional defend your web site.”
Their changelog, which paperwork modifications to the code that’s included in each replace, gives no details about what the vulnerability was or the severity of it. Theme customers thus can’t make an knowledgeable choice as as to if to replace their theme as quickly as attainable or to conduct checks first earlier than updating to insure that the up to date theme is suitable with different plugins in use.
SEJ reached out to the Patchstack WordPress safety firm who verified that Astra could have patched a cross-site scripting vulnerability.
Brainstorm Drive Astra WordPress Theme
Astra is without doubt one of the world’s hottest WordPress theme. It’s a free theme that’s comparatively light-weight, simple to make use of and ends in skilled wanting web sites. It even has Schema.org structured knowledge built-in inside it.
Cross-Web site Scripting Vulnerability (XSS)
A cross-site scripting vulnerability is without doubt one of the commonest sort of vulnerabilities discovered on WordPress that typically arises inside third social gathering plugins and themes. It’s a vulnerability that happens when there’s a approach to enter knowledge however the plugin or theme doesn’t sufficiently filter what’s being enter or output which may subsequently permit an attacker to add a malicious payload.
This explicit vulnerability is known as a saved XSS. A saved XSS is so-called as a result of it includes instantly importing the payload to the web site server and saved.
The non-profit Open Worldwide Utility Safety Venture (OWASP) web site gives the next description of a stored XSS vulnerability:
“Saved assaults are these the place the injected script is completely saved on the goal servers, akin to in a database, in a message discussion board, customer log, remark discipline, and so forth. The sufferer then retrieves the malicious script from the server when it requests the saved data. Saved XSS can be typically known as Persistent or Sort-II XSS.”
Patchstack Evaluate Of Plugin
SEJ contacted Patchstack who promptly reviewed the modified recordsdata and recognized a attainable theme safety concern in three WordPress features. WordPress features are code that may change how WordPress options behave akin to altering how lengthy an excerpt is. Features can add customizations and introduce new options to a theme.
Patchstack defined their findings:
“I downloaded model 4.6.9 and 4.6.8 (free model) from the WordPress.org repository and checked the variations.
Evidently a number of features have had a change made to them to flee the return worth from the WordPress operate get_the_author.
This operate prints the “display_name” property of a consumer, which might comprise one thing malicious to finish up with a cross-site scripting vulnerability if printed instantly with out utilizing any output escaping operate.
The next features have had this modification made to them:
astra_archive_page_info astra_post_author_name astra_post_authorIf, for instance, a contributor wrote a publish and this contributor modifications their show identify to comprise a malicious payload, this malicious payload will likely be executed when a customer visits that web page with their malicious show identify.”
Untrusted knowledge within the context of XSS vulnerabilities in WordPress can occur the place a consumer is ready to enter knowledge.
These processes are known as Sanitization, Validation, and Escaping, 3 ways of securing a WordPress web site.
Sanitization will be stated to be a course of that filters enter knowledge. Validation is the method of checking what’s enter to find out if it’s precisely what’s anticipated, like textual content as a substitute of code. Escaping output makes positive that something that’s output, akin to consumer enter or database content material, is secure to show within the browser.
WordPress safety firm Patchstack recognized modifications to features that escape knowledge which in flip offers clues as to what the vulnerability is and the way it was fastened.
Patchstack Safety Advisory
It’s unknown whether or not a 3rd social gathering safety researcher found the vulnerability or if Brainstorm, the makers of the Astra theme, found it themselves and patched it.
The official Patchstack advisory provided this data:
“An unknown individual found and reported this Cross Web site Scripting (XSS) vulnerability in WordPress Astra Theme. This might permit a malicious actor to inject malicious scripts, akin to redirects, commercials, and different HTML payloads into your web site which will likely be executed when company go to your website. This vulnerability has been fastened in model 4.6.9.”
Patchstack assessed the vulnerability as a medium risk and assigned it a rating of 6.5 on a scale of 1 – 10.
Wordfence Safety Advisory
Wordfence additionally simply printed a security advisory. They analyzed the Astra recordsdata and concluded:
“The Astra theme for WordPress is susceptible to Saved Cross-Web site Scripting by way of a consumer’s show identify in all variations as much as, and together with, 4.6.8 as a consequence of inadequate enter sanitization and output escaping. This makes it attainable for authenticated attackers, with contributor-level entry and above, to inject arbitrary net scripts in pages that may execute every time a consumer accesses an injected web page.”
It’s typically really helpful that customers of the theme replace their set up nevertheless it’s additionally prudent to check whether or not the up to date theme doesn’t trigger errors earlier than pushing it to a reside web site.
See additionally:
Featured Picture by Shutterstock/GB_Art
