WordPress Astra Theme Vulnerability Impacts +1 Million Websites

One of many World’s hottest WordPress themes quietly patched a safety vulnerability over the weekend that safety researchers say seems to have patch a saved XSS vulnerability.

The official Astra changelog supplied this rationalization of the safety launch:

“Enhanced Safety: Our codebase has been strengthened to additional shield your web site.”

Their changelog, which paperwork adjustments to the code that’s included in each replace, gives no details about what the vulnerability was or the severity of it.  Theme customers thus can’t make an knowledgeable determination as as to if to replace their theme as quickly as attainable or to conduct exams first earlier than updating to insure that the up to date theme is appropriate with different plugins in use.

SEJ reached out to the Patchstack WordPress safety firm who verified that Astra could have patched a cross-site scripting vulnerability.

Brainstorm Pressure Astra WordPress Theme

Astra is among the world’s hottest WordPress theme. It’s a free theme that’s comparatively  light-weight, simple to make use of and leads to skilled trying web sites. It even has Schema.org structured knowledge built-in inside it.

Cross-Website Scripting Vulnerability (XSS)

A cross-site scripting vulnerability is among the most typical sort of vulnerabilities discovered on WordPress that usually arises inside third occasion plugins and themes. It’s a vulnerability that happens when there’s a option to enter knowledge however the plugin or theme doesn’t sufficiently filter what’s being enter or output which might subsequently enable an attacker to add a malicious payload.

This explicit vulnerability known as a saved XSS. A saved XSS is so-called as a result of it includes straight importing the payload to the web site server and saved.

The non-profit Open Worldwide Software Safety Venture (OWASP) web site gives the next description of a stored XSS vulnerability:

“Saved assaults are these the place the injected script is completely saved on the goal servers, comparable to in a database, in a message discussion board, customer log, remark discipline, and so on. The sufferer then retrieves the malicious script from the server when it requests the saved info. Saved XSS can also be typically known as Persistent or Kind-II XSS.”

Patchstack Assessment Of Plugin

SEJ contacted Patchstack who promptly reviewed the modified information and recognized a attainable theme safety subject in three WordPress capabilities. WordPress capabilities are code that may change how WordPress options behave comparable to altering how lengthy an excerpt is. Features can add customizations and introduce new options to a theme.

Patchstack defined their findings:

“I downloaded model 4.6.9 and 4.6.8 (free model) from the WordPress.org repository and checked the variations.

It appears that evidently a number of capabilities have had a change made to them to flee the return worth from the WordPress perform get_the_author.

This perform prints the “display_name” property of a person, which may comprise one thing malicious to finish up with a cross-site scripting vulnerability if printed straight with out utilizing any output escaping perform.

The next capabilities have had this modification made to them:

astra_archive_page_info
astra_post_author_name
astra_post_author

If, for instance, a contributor wrote a put up and this contributor adjustments their show title to comprise a malicious payload, this malicious payload might be executed when a customer visits that web page with their malicious show title.”

Untrusted knowledge within the context of XSS vulnerabilities in WordPress can occur the place a person is ready to enter knowledge.

These processes are known as Sanitization, Validation, and Escaping, 3 ways of securing a WordPress web site.

Sanitization could be mentioned to be a course of that filters enter knowledge. Validation is the method of checking what’s enter to find out if it’s precisely what’s anticipated, like textual content as an alternative of code. Escaping output makes positive that something that’s output, comparable to person enter or database content material, is protected to show within the browser.

WordPress safety firm Patchstack recognized adjustments to capabilities that escape knowledge which in flip provides clues as to what the vulnerability is and the way it was mounted.

Patchstack Safety Advisory

It’s unknown whether or not a 3rd occasion safety researcher found the vulnerability or if Brainstorm, the makers of the Astra theme, found it themselves and patched it.

The official Patchstack advisory supplied this info:

“An unknown particular person found and reported this Cross Website Scripting (XSS) vulnerability in WordPress Astra Theme. This might enable a malicious actor to inject malicious scripts, comparable to redirects, commercials, and different HTML payloads into your web site which might be executed when visitors go to your web site. This vulnerability has been mounted in model 4.6.9.”

Patchstack assessed the vulnerability as a medium menace and assigned it a rating of 6.5 on a scale of 1 – 10.

Wordfence Safety Advisory

Wordfence additionally simply revealed a security advisory.  They analyzed the Astra information and concluded:

“The Astra theme for WordPress is susceptible to Saved Cross-Website Scripting by way of a person’s show title in all variations as much as, and together with, 4.6.8 attributable to inadequate enter sanitization and output escaping. This makes it attainable for authenticated attackers, with contributor-level entry and above, to inject arbitrary internet scripts in pages that can execute each time a person accesses an injected web page.”

It’s usually really useful that customers of the theme replace their set up however it’s additionally prudent to check whether or not the up to date theme doesn’t trigger errors earlier than pushing it to a dwell web site.

See additionally:

Featured Picture by Shutterstock/GB_Art