A Cross-Site Scripting (XSS) vulnerability has been identified in the WordPress Awesome Weather Widget Plugin. This vulnerability could allow a malicious actor to inject malicious scripts into the website, which could be executed when visitors visit an affected site.

This vulnerability was discovered and responsibly reported by Lana Codes.

The vulnerability is an XSS vulnerability that occurs in the awesome-weather-widget.php file. The vulnerability allows an attacker to exploit a flaw in the way that the plugin handles user input to inject malicious scripts into the website.

Severity:

The vulnerability has a CVSS 3.1 score of 6.5, which is considered to be medium. This means that the vulnerability is moderately exploitable and could have a moderate impact on the affected system.

Affected Versions:

Unfortunately, at present, there is no information available about a patched version that would address this XSS vulnerability in the Awesome Weather Widget Plugin. The vulnerability affects all versions of the Awesome Weather Widget Plugin.

Impact:

An attacker who successfully exploits this vulnerability could:

  • Inject malicious scripts into your website, which could allow them to:
    • Steal user information, such as cookies, session tokens, and passwords.
    • Redirect users to malicious websites.
    • Display malicious content on your website.
    • Take control of user accounts.

Recommendation:

Given the absence of a known fix, it’s urgent to consider the following steps to protect the WordPress website:

  • Deactivate and Remove the Plugin: Due to the absence of an available patch, users of the Awesome Weather Widget Plugin are advised to disable or uninstall the plugin as soon as possible from WordPress installation. This action can help mitigate the risk associated with this vulnerability until a suitable fix is released.