A critical Cross-Site Scripting (XSS) vulnerability has been identified in the WordPress Authors List plugin, posing significant risks to WordPress security and exposing websites to potential malware threats. This vulnerability allows a malicious actor to inject harmful scripts into your website, which can then be executed by unsuspecting visitors to your site. The security flaw was identified and reported by LEE SE HYOUNG (hackintoanetwork), emphasizing the importance of community contributions in maintaining a secure WordPress ecosystem.

The XSS vulnerability is a result of a flaw in the way the Authors List plugin handles user input. By exploiting this flaw, a malicious actor can inject arbitrary code into the website’s output, enabling the execution of these scripts by visitors to the site. This unauthorized execution opens the door to various detrimental outcomes, including redirecting visitors to malicious websites, injecting unwanted advertisements, or even stealing sensitive information such as cookies from unsuspecting users.

Severity:

With a CVSS 3.1 score of 7.5, the vulnerability is categorized as high severity, signifying its relatively easy exploitability and significant impact on affected systems. Prompt action is crucial to protect your website and its visitors from potential exploitation.

Affected Versions:

The vulnerability affects all versions of the Authors List plugin released before version 2.0.3. Any WordPress site using older versions of the plugin is at risk of this XSS vulnerability.

Impact

An attacker who successfully exploits this vulnerability could inject malicious scripts into a website that is visited by a victim. These scripts could then be executed by the victim when they view the website. This could allow the attacker to:

  • Steal sensitive data, such as login credentials or credit card numbers
  • Install malware on the victim’s computer
  • Disrupt the operation of the system

Impact:

If a malicious actor successfully exploits this vulnerability, they can inject malicious scripts into your website, potentially causing a variety of problems, including but not limited to:

  1. Redirecting unsuspecting visitors to malicious websites.
  2. Injecting unauthorized advertisements into your website.
  3. Stealing sensitive information, such as cookies, from visitors.