A cross-site scripting (XSS) vulnerability was discovered in three WordPress plugins: Gwolle Guestbook CMS plugin, Strong Testimonials plugin, and the Snazzy Maps plugin, during a routine security check up of the system with the DefenseCode ThunderScan. With over 40,000 active installations of the Gwolle Guestbook plugin, over 50,000 active installations of the Strong Testimonials plugin, and over 60,000 active such installations of the Snazzy Maps plugin, the cross-site scripting vulnerability puts users at risk of giving away administrator access to a malicious attacker, and once done, giving the attacker a free pass to further spread the malicious code to viewers and visitors. This vulnerability has been investigated under the DefenseCode advisory IDs DC-2018-05-008 / DC-2018-05-007 / DC-2018-05-008 (respectively) and has been determined to pose a medium threat on all three fronts. It exists in PHP language in the listed WordPress plugins and it has been found to affect all versions of the plugins up till and including v2.5.3 for Gwolle Guestbook, v2.31.4 for Strong Testimonials, and v1.1.3 for Snazzy Maps.
The vulnerability was initially discovered by DefenseCode on the first of June and WordPress was informed 4 days later. The vendor was given the standard 90 day release period to come forward with a solution. Upon investigation, it was found that the vulnerability existed in the echo() function, and particularly the $_SERVER[‘PHP_SELF’] variable for the Gwolle Guestbook plugin, the $_REQUEST[‘id’] variable in the Strong Testimonials plugin, and the $_GET[‘text’] variable in the Snazzy Maps plugin. To mitigate the risk of this vulnerability, updates to for all three plugins have been released by WordPress and users are requested to update their plugins to the latest available versions respectively.