Critical vulnerability in famous WordPress firewall plugin affects over 200,000 websites

Anti-Malware Security and Brute-Force Firewall, a popular security plugin for WordPress websites, is affected by a reflected cross-site scripting vulnerability whose exploitation would allow threat actors to compromise users with administrator privileges on vulnerable platforms.

The affected plugin works as a firewall to block incoming security threats and as a security scanner, capable of checking websites to identify backdoors, SQL injections, and other cyberattack variants. Anti-Malware Security and Brute-Force Firewall tool is installed on more than 200,000 websites and features a paid version with additional security options.

About the detected error, it was described as a reflected XSS vulnerability in which a WordPress website fails to properly limit the elements that can be entered into the platform. In this case, the plugin leaves the main door of the website open, allowing all kinds of malicious content to load.

Threat actors can exploit this flaw by loading a script and having the website reflect it. When a user with administrator permissions on the website visits a URL specially designed for the attack, the script is activated with the permissions stored in the victim’s browser.

The report was presented to the app’s developers according to cybersecurity community standards. Version 4.20.96 of WordPress Anti-Malware Security and Brute-Force Firewall contains a fix for the vulnerability, so users are advised to update as soon as possible.

XSS vulnerabilities are a very common security risk and there are even several variants of the attack, including:

  • Stored XSS vulnerability
  • Blind XSS vulnerability
  • Reflected XSS vulnerability

In stored and blind XSS attacks, the malicious script is stored on the target website itself, making it easier for administrators to trigger the malicious payload and the security risk increases considerably.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.