IThemes Security WordPress Plugin

CVE-2018-7433The iThemes Security plugin before 6.9.1 and iThemes Security Pro plugin before 4.8.5 for WordPress does not properly perform data escaping for the logs page.

 

Vulnerability description:

The iThemes Security plugin before 6.9.1 and iThemes Security Pro plugin before 4.8.5 for WordPress are vulnerable to a Cross-Site Scripting (XSS). A remote attacker could exploit this vulnerability to add malicious JavaScript code to the log page by visiting a non-existent URL address with a payload which is executed in the context of the web server’s domain whenever administrator visit the page.

 

CVSS Base Score: 6.5
CVSS Vector: (CVSS v3: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)

 

Affected Products and Versions

iThemes Security plugin before 6.9.1

iThemes Security Pro plugin before version 4.8.5.

 

Remediation/Fixes

Upgrade to the latest version.

https://wordpress.org/plugins/better-wp-security/#developers

 

Paweł Kuryłowicz