WordPress website owners using the User Email Verification for WooCommerce Plugin: A high severity Cross-Site Scripting (XSS) vulnerability has been identified, posing significant risks to WordPress security and potentially leading to data theft or other malicious activities. Immediate action is required to protect the website from potential exploits.

The security flaw was discovered and responsibly reported by Nguyen Xuan Chien, emphasizing the importance of proactive security measures in the WordPress ecosystem.

The vulnerability is a reflected XSS vulnerability found in the email-verification.php file, where attackers can inject malicious scripts into a victim’s browser by deceiving them into visiting a specially crafted URL.

Severity:

This XSS vulnerability has been assigned a CVSS 3.1 score of 7.1, signifying its high severity and the substantial likelihood of exploitation.

Affected Versions:

The vulnerability affects all versions of the User Email Verification for WooCommerce Plugin, leaving websites using this plugin exposed to potential attacks.

Impact:

If successfully exploited, attackers could inject malicious scripts into a victim’s browser, potentially leading to the theft of cookies or session tokens. Furthermore, attackers could redirect victims to malicious websites or even execute arbitrary commands on the victim’s computer, posing severe risks to website security and user data.

Recommendation:

Given the high severity of this vulnerability, immediate action is essential to protect the WordPress website:

  1. Uninstall the Plugin: For all active User Email Verification for WooCommerce Plugin, uninstall the plugin immediately. The plugin has been closed as of June 2, 2023, and is no longer available for download.
  2. Security Audits: Conduct regular security audits to identify and mitigate any potential vulnerabilities in WordPress plugins and themes.
  3. Use Reputable Alternatives: Explore reputable alternative plugins for similar functionalities that actively receive updates and are maintained by trusted developers.
  4. Stay Informed: Stay updated on security best practices and be vigilant about potential threats to strengthen WordPress security measures.