We have recently added a bunch of new security tests to Detectify, so you can now check your WordPress site for XSS vulnerabilities in popular plugins like Ninja Forms and Loco Translate. If you’re using one (or more) of the plugins listed below, make sure to run a new Detectify scan to see if your site is vulnerable.
What happens if an attacker exploits an XSS vulnerability?
XSS can be used to steal cookies, perform phishing attacks and tabnabbing, all of which can lead to stolen information and hijacked accounts.
Our new WordPress XSS security tests
WooCommerce PDF Invoices & Packing Slips Authenticated XSS (v. 2.0.9)
The plugin is vulnerable to authenticated reflected XSS via the ‘tab’ parameter.
Ninja Forms Authenticated XSS (prior to v. 3.1.9)
Ninja Forms is a popular web form plugin that has over 900.000 installs on WordPress. Versions prior to v. 3.1.9 are vulnerable to authenticated reflected XSS. The vulnerability was submitted to Detectify Crowdsource as a 0-day, but is now patched.
Pretty Links Authenticated XSS (v. 2.1.2)
The plugin is vulnerable to authenticated reflected XSS via the ‘message’ parameter.
Loco Translate Authenticated XSS (v. 2.0.15)
This version of the Loco Translate plugin is vulnerable to authenticated reflected XSS via the translation filter bypass.
Google Pagespeed Insights Authenticated XSS (v. 3.0.0)
Performance plugin Google Pagespeed Insights is vulnerable to authenticated reflected XSS via the ‘filter’ parameter.
Booking Calendar Authenticated XSS (v. 2.0.9)
The plugin is vulnerable to authenticated reflected XSS via the tab_cvm parameter.
Crelly Slider Authenticated XSS (prior to v. 1.2.2)
The Crelly Slider plugin is vulnerable to authenticated reflected XSS via the id parameter.
Pinfinity XSS (prior to v. 1.9.2)
The popular WordPress theme Pinfinity is vulnerable to reflected XSS via the ‘s’ (search) parameter.
How to check if you are vulnerable
If you think your site might be affected, simply log in to your Detectify account, click on your Scan profile and start a new scan. All security issues the scanner discovers will be listed in your scan report.
Start a scan to identify XSS vulnerabilities on your WordPress site
Stay safe!
The Detectify team