A Cross-Site Scripting (XSS) vulnerability has been discovered in the WordPress Lava Directory Manager Plugin. This vulnerability could allow a malicious actor to inject malicious scripts into the website, which would be executed when visitors visit the affected site.
This vulnerability was discovered and reported by Emili Castells.
The vulnerability is caused by a lack of input validation in the plugin’s code. This allows an attacker to inject malicious scripts into the website, which are then executed when visitors visit the site.
The vulnerability has a CVSS 3.1 score of 7.1, which is considered to be high severity. This means that the vulnerability is moderately likely to be exploited and could have a significant impact on the affected system.
All versions of the WordPress Lava Directory Manager Plugin are affected by this vulnerability.
An attacker who successfully exploits this vulnerability could inject malicious scripts into your website. This could allow the attacker to steal sensitive data, redirect visitors to malicious websites, or take control of the affected website.
Given the high severity of this vulnerability, we advise the following steps to protect the WordPress website:
- Keep Informed: Stay up to date with information from the plugin developer regarding a fix for the vulnerability. Apply any patches or updates as soon as they become available.
- Regular Updates: Ensure all WordPress plugins, themes, and the WordPress core are regularly updated to mitigate known vulnerabilities.
- Security Measures: Consider implementing additional security measures, such as web application firewalls (WAFs), security plugins, and routine security audits, to enhance the website’s defenses.
There is currently no patched version of the WordPress Lava Directory Manager Plugin available. To mitigate the risk of exploitation, it is recommended that disabled the plugin until a patched version is released.