WordPress Gwolle Guestbook Strong Testimonials and Snazzy Maps Plugins Vulnerable to XSS Attack

A cross-site scripting (XSS) vulnerability was discovered in three WordPress plugins: Gwolle Guestbook CMS plugin, Strong Testimonials plugin, and the Snazzy Maps plugin, during a routine security check up of the system with the DefenseCode ThunderScan. With over 40,000 active installations of the Gwolle Guestbook plugin, over 50,000 active installations of the Strong Testimonials plugin, and over 60,000 active such installations of the Snazzy Maps plugin, the cross-site scripting vulnerability puts users at risk of giving away administrator access to a malicious attacker, and once done, giving the attacker a free pass to further spread the malicious code to viewers and visitors. This vulnerability has been investigated under the DefenseCode advisory IDs DC-2018-05-008 / DC-2018-05-007 / DC-2018-05-008 (respectively) and has been determined to pose a medium threat on all three fronts. It exists in PHP language in the listed WordPress plugins and it has been found to affect all versions of the plugins up till and including v2.5.3 for Gwolle Guestbook, v2.31.4 for Strong Testimonials, and v1.1.3 for Snazzy Maps.

The cross-site scripting vulnerability is exploited when a malicious attacker carefully crafts a JavaScript code containing URL and manipulates the WordPress administrator account into connecting to said address. Such a manipulation could occur through a comment posted on the site that the administrator is made tempted to click on or through an email, post, or a forum discussion that is accessed. Once the request is made, the malicious code hidden is run and the hacker manages to gain complete access of the WordPress site of that user. With open end access of the site, the hacker can embed more such malicious codes into the site to spread malware to the visitors of the site as well.

The vulnerability was initially discovered by DefenseCode on the first of June and WordPress was informed 4 days later. The vendor was given the standard 90 day release period to come forward with a solution. Upon investigation, it was found that the vulnerability existed in the echo() function, and particularly the $_SERVER[‘PHP_SELF’] variable for the Gwolle Guestbook plugin, the $_REQUEST[‘id’] variable in the Strong Testimonials plugin, and the $_GET[‘text’] variable in the Snazzy Maps plugin. To mitigate the risk of this vulnerability, updates to for all three plugins have been released by WordPress and users are requested to update their plugins to the latest available versions respectively.

Aaron Michael
Aaron Micheal is an electrical engineer by profession and a hard-core gamer by passion. His exceptional experience with computer hardware and profound knowledge in gaming makes him a very competent writer. What makes him unique is his growing interest in the state of the art technologies that motivates him to learn, adopt, and integrate latest techniques into his work.