A critical Cross-Site Scripting (XSS) vulnerability has been identified in the EG-Attachments plugin. This vulnerability could allow a malicious actor to inject malicious scripts into the author’s website, which could then be executed by visitors to the affected site.
Le Ngoc Anh discovered and reported this vulnerability.
This vulnerability has not been fixed yet. It is important to note that disabling the plugin may break some functionality on the website. Users should consider switching to a different plugin or developing their own solution.
High (CVSS 3.1 score of 7.1)
All versions of the EG-Attachments plugin
If a malicious actor is able to exploit this vulnerability, they could:
- Inject malicious scripts into the website, which could then be executed by visitors to the site.
- Redirect visitors to malicious websites
- Inject advertisements into the website
- Steal cookies or other sensitive information from visitors
In light of the high-severity nature of this vulnerability, we recommend the following actions to protect the WordPress website:
- Temporary Deactivation: Until a patched version becomes available, consider temporarily deactivating the EG-Attachments Plugin. This action can mitigate the risk of exploitation until the vulnerability is fixed.
- Plugin Updates: Keep a close watch on updates for the EG-Attachments Plugin. As soon as a new version is released with a patch for this vulnerability, update the plugin to the latest version.
- Security Auditing: After applying updates, perform a comprehensive security audit on the WordPress website to ensure that the vulnerability has been successfully addressed.
- Monitoring and Scanning: Regularly monitor the website for unusual activities and conduct security scans to detect any potential issues.
- Stay Informed: Keep yourself informed about the latest developments regarding the EG-Attachments Plugin. This includes updates on the vulnerability and the release of a patched version.
Disable the EG-Attachments plugin immediately. There is no patched version available at this time.