Vulnerability in WordPress Google Analytics Plugin Hits +3 Million Websites
MonsterInsights Google Analytics WordPress plugin XSS vulnerability affects up to +3 million websites
Brought to you by Trickyenough
The National Vulnerability Database announced that a popular Google Analytics WordPress plugin installed in over 3 million was discovered to contain a Stored Cross-Site Scripting (XSS) vulnerability.
Brought to you by Trickyenough
A Cross-Site Scripting (XSS) attack generally occurs when a part of the website that accepts user input is insecure and allows unanticipated input, like scripts or links.
Stored XSS
Brought to you by Trickyenough
The XSS vulnerability can be leveraged to obtain unauthorized access to a website and can lead to user data theft or a full site takeover.
Brought to you by Trickyenough
The non-profit Open Worldwide Application Security Project (OWASP) describes how the XSS vulnerability works:
Brought to you by Trickyenough
A stored XSS, which is arguably worse, is one in which the malicious script is stored on the website servers itself.
Brought to you by Trickyenough
The plugin, MonsterInsights – Google Analytics Dashboard for WordPress, was discovered to have the stored XSS version of the vulnerability.