Experts from RIPS Technologies told about two XSS vulnerabilities on the WordPress.org site that were discovered back in May of this year. One of the bugs had the potential of a worm. In this regard, the researchers once again remind that the compromise of just one plug-in for a popular CMS can have very large-scale consequences. Suffice it to recall the recent case with the plugin WP GDPR Compliance, a vulnerability in which was used to hijack sites.
After discovering this bug, the researchers decided to check the entire WordPress.org codebase with their own static code analyzer RIPS. The check revealed another XSS vulnerability on the official CMS website, this time in the dashboard at WordPress.org/plugins. The bug was a “reflected” XSS (reflected XSS). Currently, both problems have already been fixed, and experts once again draw the attention of the community to the fact that vulnerabilities associated with plugins can be so dangerous.