A Cross-Site Scripting (XSS) vulnerability has been discovered in the WordPress The Awesome Feed – Custom Feed Plugin. This vulnerability could allow a malicious actor to inject malicious scripts into the website, which would be executed when visitors visit the affected site.
This vulnerability was discovered and reported by Nguyen Xuan Chien.
The vulnerability is caused by a lack of input validation in the plugin’s code. This allows an attacker to inject malicious scripts into the website, which are then executed when visitors visit the site.
The severity of this vulnerability is high, with a CVSS 3.1 score of 7.1.
As of the present, there is no patched version accessible to address this vulnerability. In light of this, we advise the following steps to manage this situation and reduce potential risks:
- Temporary Deactivation: Consider temporarily deactivating “The Awesome Feed – Custom Feed” Plugin to minimize the exposure of the website to potential exploitation.
- Developer Contact: Reach out to the plugin developer to inquire about their plans to release a fix or patch for this issue. Keep the lines of communication open to remain informed about any developments regarding this vulnerability.
- Exploration of Alternatives: While waiting for a resolution, explore alternative plugins that can temporarily fulfill the functionality provided by the vulnerable plugin. Ensure that any alternatives considered are from reputable sources and are routinely maintained and updated.
An attacker who successfully exploits this vulnerability could inject malicious scripts into the website. This could allow the attacker to steal sensitive data, redirect visitors to malicious websites, or take control of the affected website.
There is currently no patched version of the WordPress The Awesome Feed – Custom Feed Plugin available. To mitigate the risk of exploitation, it is recommended that users disable the plugin until a patched version is released.