Another WordPress Plugin Has a Security Vulnerability Related to Usage of extract()

guest · Sep 29, 2021

WordPress security: CookieYes GDPR plugin patches XSS bug following large-scale PHP audit
Researchers claim five plugins use extract() function insecurely – but some maintainers disagree
September 29, 2021
https://portswigger.net/daily-swig/...tches-xss-bug-following-large-scale-php-audit

A hugely popular GDPR compliance plugin for WordPress contained an authenticated, persistent cross-site scripting (XSS) vulnerability related to the insecure use of PHP’s extract() function, according to security researchers.

As a result, the CookieYes GDPR Cookie Consent & Compliance Notice plugin, which has more than one million active installations, no longer uses the extract() function in the shortcodes module, as per a software update released today (September 29).
Click to expand...

In a blog post published on September 24, Plugin Vulnerabilities, a WordPress security service, said it tested the 100 most popular plugins in the WordPress Plugin Directory for similar issues and identified five in total that used the extract() function insecurely.

The XSS flaw in CookieYes GDPR relates to a lack of validation or sanitization on user input, said Plugin Vulnerabilities.
Click to expand...

Plugin Vulnerabilities: Another One of the 100 Most Popular WordPress Plugins Has a Security Vulnerability Related to Usage of extract()

On Friday, we noted that five of the 100 most popular WordPress plugins were using the extract() function insecurely. While none of those plugins look to have an obvious vulnerability due directly to the usage of extract(), we mentioned in the previous post that we had confirmed that one of the plugins, with 1+ millions installs, had a vulnerability related to its usage.
Click to expand...

Log in or Sign up

Another WordPress Plugin Has a Security Vulnerability Related to Usage of extract()

guest Guest

Log in or Sign up

Another WordPress Plugin Has a Security Vulnerability Related to Usage of extract()

guest Guest

Useful Searches