A high-severity vulnerability has been identified in the WordPress Leyka Plugin. This vulnerability allows an attacker to inject malicious scripts into the affected website, potentially compromising the security of the website and its visitors. This plugin vulnerability was discovered and responsibly reported by Phd.
The vulnerability is a Cross-Site Scripting (XSS) vulnerability that occurs in the leyka-admin.php file. The vulnerability allows an attacker to inject malicious scripts into the affected website by specifying a specially crafted URL in the page parameter of the ajax_get_posts function.
Severity:
The vulnerability has a CVSS 3.1 score of 7.1, which is considered to be high. This means that the vulnerability is likely to be exploited and could have a significant impact on the affected system.
Affected Versions:
The vulnerability affects WordPress websites that use the Leyka Plugin prior to version 3.30.3.
Impact:
An attacker who successfully exploits this vulnerability could inject malicious scripts into the affected website, such as:
- Phishing scripts
- Malware
- Ads
This malicious code could then be executed by visitors to the website, potentially leading to a variety of security risks, such as:
- Stealing personal information
- Damaging the website’s files or database
- Taking control of the website
Recommendation:
Users of the Leyka Plugin are advised to update to version 3.30.3 or higher as soon as possible. This will fix the vulnerability and protect users from attacks.
This vulnerability is a serious threat to the security of WordPress websites. Users who are running an affected version of the Leyka Plugin should update to the latest version as soon as possible.