Can you explain this vulnerability to me?

This vulnerability is a Stored Cross-Site Scripting (XSS) issue in the Featured Image plugin for WordPress, affecting all versions up to 2.1. It occurs because the plugin does not properly sanitize input or escape output in image metadata. Authenticated users with administrator-level permissions or higher can inject malicious scripts into pages. These scripts execute whenever a user accesses the infected page. The vulnerability only affects multi-site WordPress installations or installations where the unfiltered_html setting is disabled.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

An attacker with administrator-level permissions can inject malicious scripts into the website, which will execute in the browsers of users who visit the affected pages. This can lead to unauthorized actions such as stealing user credentials, performing actions on behalf of users, or spreading malware. The impact is limited to multi-site installations or those with unfiltered_html disabled, but it can compromise the security and integrity of the affected WordPress sites.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, immediately update the Featured Image plugin to a version later than 2.1 where the issue is fixed. Additionally, ensure that only trusted administrators have access to the plugin and consider enabling unfiltered_html if appropriate, as the vulnerability affects installations where unfiltered_html is disabled. Monitor and restrict administrator-level permissions carefully, especially in multi-site WordPress installations.

Useful 0 Not Useful 0