ALERT: 52 XSS APR 2021 – Cross-Site Scripting APR 2021 Blast

XSS APR 2021 - Cross-Site Scripting APR 2021

Managed WordPress Security Report

Be informed about the latest Cross-Site Scripting APR 2021, identified and reported publicly. As these XSS APR 2021 vulnerabilities have a severe negative impact on any WordPress Security, consider our FREE security AUDIT.

An estimated jaw-dropping 9.989.000+ active WordPress installations are susceptible to this attack type, considering only the publicly available numbers. The estimated number can increase by 20-25% with premium versions as they are private purchases.

Furthermore, the initial estimation can triple if we consider (1) the already patched versions BUT NOT UPDATED by owners, as the vulnerability remains active within their domain; and (2) the closed "uncounted" versions remain active on domains already running the plugins, as nobody is maintaining security. As these owners start changing their hosting provider (due to constant unexplained issues), they actively migrate these vulnerabilities behind new / protected areas, possibly exposing other clean WP to different attack types.

It is a 373% increase compared to December 2020. We compare last month versus previous winter holiday season, which has the biggest shopping traffic and attack spike throughout the year. Read more about our previous report here: ALERT: 28 XSS MAR 2021 – Cross-Site Scripting MAR 2021 Blast and 11 XSS – Cross-Site Scripting – WordPress Security DEC. The following cases made headlines PUBLICLY just last month in the XSS APR 2021 category:

---

• WooCommerce < 5.2.0 - Authenticated Stored Cross-Site Scripting (XSS)
  • WooCommerce is the world’s most popular open-source eCommerce solution. Active installations: 5+ million

---

• Elementor – Header, Footer & Blocks Template < 1.5.8 - Contributor+ Stored XSS
  • Have you ever imagined you could create your website header and footer with Elementor for FREE? Active installations: 1+ million

---

• Essential Addons for Elementor < 4.5.4 - Contributor+ Stored Cross-Site Scripting (XSS)
  • Enhance your Elementor page building experience with 70+ creative elements and extensions. Add powers to your page builder using our easy-to-use elements those were designed to make your next WordPress page and posts design easier and prettier than ever before. Active installations: 1 million +

---

• Store Locator Plus <= 5.5.15 - Unauthenticated Stored Cross-Site Scripting (XSS)
  • This plugin has been closed as of April 12, 2022 and is not available for download. This closure is temporary, pending a full review.

---

• contact-form-check-tester <= 1.0.2 - Broken Access Control to Cross-Site Scripting (XSS)
  • This plugin has been closed as of March 25, 2022 and is not available for download. This closure is permanent.

---

• Contact Form by Supsystic < 1.7.15 - Reflected Cross-Site scripting (XSS)
  • Simple and powerful Contact Form Builder by Supsystic with drag-and-drop editor. No coding knowledge is required. Active installations: 10,000+

---

• DethemeKit For Elementor < 1.5.5.5 - Contributor+ Stored XSS
  • Detheme Widgets for elementor. Active installations: 9,000+

---

• Elementor Addon Elements < 1.11.2 - Contributor+ Stored XSS
  • Add more power to your Elementor page builder experience by using our 24+ easy to use widgets and extensions. Active installations: 100,000+

---

• Elements kit Elementor addons (Header & Footer Builder, Mega Menu Builder, Layout Library) < 2.2.0 - Contributor+ Stored XSS
  • ElementsKit is an ultimate All in one addons for Elementor Page Builder. It includes most comprehensive modules, such as Header Footer Builder, Mega Menu Builder Layoutkit etc under the one hood. It has 55+ custom widgets to create any sites with ease. Active installations: 300,000+

---

• Erident Custom Login and Dashboard < 3.5.9 - Authenticated Stored Cross-Site Scripting (XSS)
  • TOP RATED PLUGIN for Login Page Customization!!! Customize completely your WordPress Login Screen and Dashboard easily. Add your company logo to login screen, change background images, colors, styles etc. Customize your Dashboard footer text also for complete branding. Now faster and better db performance! Active installations: 40,000+

---

• fitness calculators plugin < 1.9.6 - Cross-Site Request Forgery to Cross-Site Scripting (XSS)
  • Plugin for calculating Water intake, BMI calculator, protein Intake for the fitness freaks. Active installations: 900+

---

• GiveWP – Donation Plugin and Fundraising Platform < 2.10.4 - Authenticated Stored Cross-Site Scripting (XSS)
  • GiveWP is the highest rated, most downloaded, and best supported donation plugin for WordPress. Built from the ground up for all your fundraising needs, GiveWP provides you with a powerful donation platform optimised for online giving. Active installations: 100,000+

---

• Happy Addons for Elementor Free < 2.24.0 - Contributor + Stored XSS
• Happy Addons for Elementor Pro < 1.17.0 - Contributor+ Stored XSS
  • Happy Addons for Elementor page builderIs One of the Best Elementor Addons That Comes With 87 Elementor Free & Pro Widgets and 16+ Problem-Solving Elementor Features. Active installations: 100,000+

---

• HT Mega – Absolute Addons for Elementor Page Builder < 1.5.7 - Contributor+ Stored XSS
  • HTMega is a absolute addons for elementor includes 80+ elements & 360 Blocks with unlimited variations. HT Mega brings limitless possibilities. Embellish your site with the elements of HT Mega. Active installations: 70,000+

---

• Image Hover Effects – Elementor Addon < 1.3.4 - Contributor+ Stored XSS
  • Image Hover Effects Addon for Elementor Page Builder is the best in class addon that lets you set customized hover effects for your image. It gives attention to detail by allowing you to align text, change background, set borders and offers a number of other features. Active installations: 40,000+

---

• JetWidgets For Elementor < 1.0.9 - Contributor+ Stored XSS
  • JetWidgets provides the set of outstanding widgets for Elementor, perfect for creating all kinds of content. Every widget from its set has its own content stylization settings, making it possible to create content without any coding skills. Active installations: 10,000+

---

• larsens-calender <= 1.2 - Stored Cross-Site Scripting (XSS)
  • This plugin has been closed as of April 12, 2022 and is not available for download. This closure is temporary, pending a full review.

---

• shopello Unauthenticated Reflected Cross-Site Scripting (XSS)
  • This plugin has been closed as of April 12, 2022 and is not available for download. This closure is temporary, pending a full review.

---

• Photo Gallery by 10Web – Mobile-Friendly Image Gallery < 1.5.69 - Multiple Reflected Cross-Site Scripting (XSS)
  • Photo Gallery is the leading plugin for building beautiful mobile-friendly galleries in a few minutes. Active installations: 300,000+

---

• Pie Register – User Registration Forms. Invitation based registrations, Custom Login, Payments < 3.7.0.1 - Reflected Cross-Site Scripting (XSS)
  • Pie Register is a Registration Plugin for building user registration forms.
    It has a drag and drop form builder, invitation-only registration, email templates, conditional logic, data import & export, role-based redirection, and payment gateways, and much more. Active installations: 7,000+

---

• Popup by Supsystic < 1.10.5 - Reflected Cross-Site scripting (XSS)
  • Popup plugin by Supsystic with Popup Builder helps you get newsletter subscribers, promote new products, make special offers and attract more social followers. Active installations: 30,000+

---

• PowerPack Addons for Elementor < 2.3.2 - Contributor+ Stored XSS
  • Extend Elementor with 60+ Creative Elementor Widgets and extensions with PowerPack Elementor addons – The fastest-growing Elementor addon. Get 30+ Free Elementor widgets with PowerPack Lite. Active installations: 50,000+

---

• Premium Addons for Elementor < 4.2.8 - Contributor+ Stored Cross-Site Scripting (XSS)
  • Supercharge your Elementor Page Builder with 55+ highly customizable Elementor essential addons and widgets, 300+ premade Elementor templates that will give you the ability to build sophisticated websites in less time with no coding required. Active installations: 400,000+

---

• Redirect 404 to parent < 1.3.1 - Reflected Cross-Site Scripting (XSS)
  • Redirect any 404 request to the parent URL with this incredibly powerful, easy-to-use, well supported and 100% free WordPress cookie plugin. Active installations: 100+

---

• Rife Elementor Extensions & Templates < 1.1.6 - Contributor+ Stored XSS
  • Are you looking for beautiful Elementor templates for your site? We bring you well designed & responsive templates for your landing pages. Active installations: 30,000+

---

• RSS for Yandex Turbo < 1.30 - Authenticated Stored Cross-Site Scripting (XSS)
  • Данный плагин автоматически создаст на вашем сайте новую RSS-ленту (или несколько лент) для сервиса “Яндекс.Турбо” в полном соответствии с техническими требованиями Яндекса. Active installations: 50,000+

---

• Select All Categories and Taxonomies, Change Checkbox to Radio Buttons < 1.3.2 - Reflected Cross-Site Scripting (XSS)
  • Use radio buttons or checkboxes for your categories and custom taxonomies with this incredibly powerful, easy-to-use, well supported and 100% free WordPress cookie plugin.

    Active installations: 1,000+

---

• SEO Redirection Plugin – 301 Redirect Manager < 6.4 - Authenticated Stored Cross-Site Scripting (XSS)
  • SEO Redirection is a powerful redirect manager to manage 301 redirects, you can build and manage redirects easily for your site. This plugin is useful if you want to migrating pages from an old website, or are changing the directory of your WordPress website. Active installations: 40,000+

---

• Sina Extension for Elementor < 3.3.12 - Contributor+ Stored XSS
  • This is an extension or addon for Elementor page builder. It will extend the Elementor and increase web page building experience. It has 38 useful & high-quality widgets or addon and 2 creative extenders. Which you may use for easy & fast make the page & display your content far better way. After using it, you will feel that it’s one of the best addon for Elementor. Active installations: 10,000+

---

• Software License Manager < 4.4.6 - CSRF to Stored XSS
  • Software license management solution for your web applications (WordPress plugins, Themes, PHP based membership script etc.) Active installations: 1,000+

---

• Stop Spammers < 2022.9 - Reflected Cross-Site Scripting (XSS)
  • Stop spam emails, spam comments, spam registration, and spam bots and spammers in general. Run diagnostic tests, view activity, and much more with this well-maintained, mature plugin. Active installations: 60,000+

---

• The Plus Addons for Elementor Page Builder Lite < 2.0.6 - Contributor+ Stored XSS
  • The Plus Addons for Elementor is made by experienced designers and developers to fulfil all your needs while development of websites. It’s completely responsive, easy to use with tons of options. Which makes this plugin biggest, unique and most advance. Active installations: 30,000+

---

• Ultimate Addons for Elementor < 1.30.0 - Contributor+ Stored XSS
  • The Complete Elementor Toolkit for New Design Possibilities. Active installations: 600,000+

---

• Ultimate Maps by Supsystic < 1.2.5 - Reflected Cross-Site scripting (XSS)
  • Supsystic Ultimate Maps plugin was developed after the changes in Google maps pricing policy. According to the new rules, using Google maps is becoming too expensive for websites with large traffic. Active installations: 10,000+

---

• WooLentor – WooCommerce Elementor Addons + Builder < 1.8.6 - Contributor+ Stored XSS
  • WooLentor is a WooCommerce Addons for Elementor Page Builder. WooCommerce Builder is included in this plugin to build custom product page and archive page. Active installations: 50,000+

---

• WPBakery Page Builder Clipboard < 4.5.6 - Subscriber+ Stored Cross-Site Scripting (XSS)
  • WPBakery Page Builder (Visual Composer) Clipboard allows you to copy/cut and paste single content elements or stack of content elements across pages without ever leaving WPBakery Page Builder (back end) interface! Active installations: Not public info!

---

• 404 SEO Redirection <= 1.3 - CSRF to Stored Cross-Site Scripting (XSS)
• 404 SEO Redirection <= 1.3 - Reflected Cross-Site Scripting (XSS)
  • This plugin has been closed as of April 27, 2022 and is not available for download. This closure is permanent.

---

• Accordion < 2.2.30 - Authenticated Reflected Cross-Site Scripting (XSS)
  • Accordions is easy and powerful tool to create accordion, faq, tabs, tab content, frequently asked question, knowledge base, question & answer section, WooCommerce FAQ tabs and many other way to use this plugin. supper easy to customize looks and feel, changing color, font size of content, choosing accordion icons was never easy before. Active installations: 30,000+

---

• All 404 Redirect to Homepage < 1.21 - Reflected Cross-Site Scripting (XSS)
  • By this plugin you can fix all random 404 links appear in you your website and redirect them to homepage or any other page using 301 SEO redirect. 404 error pages hurts the rank of your site in search engines. This smart plugin is a simple solution to handle 404 error pages. Active installations: 300,000+

---

• All-in-One Addons for Elementor – WidgetKit < 2.3.10 - Contributor+ Stored XSS
  • If Elementor page builder elements are not enough, try WidgetKit Addon and boost your page building experience. More than 55+ creative elements come with WidgetKit. You will be able to come out from the boundary of ordinary design and do something creative. Active installations: 20,000+

---

• BuddyPress < 7.3.0 - Multiple Authenticated REST API Vulnerabilities
  • Are you looking for modern, robust, and sophisticated social network software? BuddyPress is a suite of components that are common to a typical social network, and allows for great add-on features through WordPress’s extensive plugin system. Active installations: 200,000+

---

• Business Directory Plugin – Easy Listing Directories for WordPress < 5.11.1 - Arbitrary Add/Edit/Delete Form Field to Stored XSS
• Business Directory Plugin – Easy Listing Directories for WordPress < 5.11.2 - Authenticated Stored Cross-Site Scripting
  • Are you looking for a simple directory website builder for WordPress? With Business Directory Plugin, you can be in control without a developer. Active installations: 20,000+

---

• Clever Addons for Elementor < 2.1.0 - Contributor+ Stored XSS
  • Clever Addons for Elementor provides high quality widgets and templates which are easy to use and customize. Help you create stunning websites quickly. Active installations: 8,000+

---

• Livemesh Addons for Elementor < 6.8 - Contributor+ Stored XSS
  • Livemesh Addons for Elementor features a huge collection of premium, easy-to-use yet highly functional extensions that can be used in Elementor page builder. This is really a premium plugin that you can get for free. Active installations: 100,000+

---

• OpenID Connect Generic Client 3.8.0~3.8.1 - Reflected Cross Site Scripting (XSS) via Login Error
  • This plugin allows to authenticate users against OpenID Connect OAuth2 API with Authorisation Code Flow. Active installations: 2,000+

---

• HT Slider Range for Amazon affiliates Unauthenticated Reflected Cross-Site Scripting (XSS)
  • Cuando pensamos en un control deslizante, generalmente imaginamos un control deslizante de la galería de imágenes, o el infame carrusel, o quizás la navegación fuera del lienzo, con la superposición deslizándose desde un lado. Active installations: 10+

---

• woo-qiwi-payment-gateway Unauthenticated Reflected Cross-Site Scripting (XSS)
  • This plugin has been closed as of April 12, 2022 and is not available for download. This closure is temporary, pending a full review.

---

• teamleader-form-integration Unauthenticated Reflected Cross-Site Scripting (XSS)
  • This plugin has been closed as of April 12, 2022 and is not available for download. This closure is temporary, pending a full review.

---

• Invoicing with InvoiceXpress for WooCommerce – Free Unauthenticated Reflected Cross-Site Scripting (XSS)
  • Invoicing with InvoiceXpress for WooCommerce – Free allows you to easily create legal invoices for your WooCommerce orders using InvoiceXpress, directly on your store dashboard, and send them via email to the client. Active installations: 100+

BRIEF: Cross-Site Scripting APR 2021 is a type of security vulnerability typically found in web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy.

What is CROSS-SITE SCRIPTING APR 2021?

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.

An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page.

What is the impact of a XSS APR 2021 ATTACK?

The actual impact of an XSS attack generally depends on the nature of the application, its functionality and data, and the status of the compromised user. For example:

- In a simple public application, where all users are anonymous and all information is public, the impact will often be minimal. Nothing else to steal.
- In an application holding sensitive or private/personal data, such as banking transactions, emails, or healthcare records, the impact will usually be serious.
- If the compromised user has elevated privileges within the application, then the impact will generally be critical, allowing the attacker to take full control of the vulnerable application and compromise all users, owners and their data.

What kind of XSS attacks are exploited?

- Reflected XSS, where the malicious script comes from the current HTTP request.
- Stored XSS, where the malicious script comes from the website's database.
- DOM-based XSS, where the vulnerability exists in client-side code rather than server-side code.

 

Related Posts to MANAGED WordPress Security: