A critical Cross-Site Scripting (XSS) vulnerability has been uncovered in the WP Reroute Email plugin for WordPress, posing significant risks to website security and malware prevention. Discovered and responsibly reported by Alex Thomas, this security flaw could allow attackers to inject malicious scripts into the email subject line. As a result, guests visiting the site may be exposed to various malicious outcomes, including cookie theft, session hijacking, and redirection to malicious websites. The vulnerability has been assigned a high severity CVSS 3.1 score of 7.1, emphasizing the importance of immediate action to protect WordPress sites.

Vulnerability Details:

The XSS vulnerability in the WP Reroute Email plugin enables attackers to inject malicious scripts into the email subject line, posing potential harm to site visitors.

Severity:

The vulnerability has been classified as high severity, indicating its significant potential for exploitation and unauthorized access to WordPress sites.

Affected Versions:

The vulnerability affects all versions of the WP Reroute Email plugin up to and including version 1.4.9. Sites using older versions remain vulnerable to this attack. However, version 1.5.0 has been released to fix this vulnerability.

Impact:

Exploiting this vulnerability allows attackers to inject malicious scripts into the email subject line, affecting site visitors. This can result in the theft of cookies, hijacking of user sessions, and redirection to malicious websites.

Recommendation:

To ensure WordPress security and protect against potential attacks, users of the WP Reroute Email plugin are strongly advised to update to version 1.5.0 immediately. Updating to the latest version is crucial to prevent exploitation and enhance overall plugin security. If updating is not feasible, users can mitigate the risk by temporarily disabling the plugin.