A Cross-Site Scripting (XSS) vulnerability has been discovered in the WordPress WP Matterport Shortcode plugin. This vulnerability could allow a malicious actor to inject malicious scripts into the website, which would be executed when visitors visit the affected site.
This vulnerability was discovered and reported by Erwan LR (WPScan).
The vulnerability is caused by a lack of input validation in the plugin’s code. This allows an attacker to inject malicious scripts into the website, which are then executed when visitors visit the site.
The vulnerability has been fixed in version 2.1.7 of the WordPress WP Matterport Shortcode plugin. Users who are running an older version of the plugin should update to the latest version as soon as possible.
The vulnerability has a CVSS 3.1 score of 7.1, which is considered to be high severity. This means that the vulnerability is moderately likely to be exploited and could have a significant impact on the affected system.
All versions of the WordPress WP Matterport Shortcode plugin prior to 2.1.7 are affected by this vulnerability.
An attacker who successfully exploits this vulnerability could inject malicious scripts into your website. This could allow the attacker to steal sensitive data, redirect visitors to malicious websites, or take control of the affected website.
Due to the high severity of this vulnerability, immediate action is essential to secure the website:
- Update the Plugin: Immediately update the WP Matterport Shortcode Plugin to the latest available version, ensuring it is at least version 2.1.7. This update includes critical security fixes for the XSS vulnerability.
- Regular Plugin Updates: In addition to this specific update, maintain the practice of routinely updating all WordPress plugins and themes to their latest versions. This is a fundamental measure of a website’s security.
- Enhance Security Measures: Consider implementing additional security layers such as web application firewalls (WAFs) and security plugins. Regular security audits can help identify and address potential vulnerabilities.