The National Vulnerability Database announced that a popular Google Analytics WordPress plugin, with over 3 million installs, contains a Stored Cross-Site Scripting (XSS) vulnerability.
Saved XSS
A Cross Site Scripting (XSS) attack generally occurs when a part of the website that accepts user input is insecure and allows unexpected input such as scripts or links.
The XSS vulnerability can be exploited to gain unauthorized access to a website and can lead to theft of user data or complete website takeover.
The non-profit Open Worldwide Application Security Project (OWASP) describes how the XSS vulnerability works:
“An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser fails to detect that the script is not trusted and runs the script.
Because it assumes the script is from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information stored by the browser and used with this website.”
A stored XSS, arguably worse, is one where the malicious script is stored on the website servers themselves.
The MonsterInsights – Google Analytics Dashboard for WordPress plugin was found to contain the saved XSS version of the vulnerability.
MonsterInsights – Google Analytics Dashboard for WordPress Vulnerability
The MonsterInsights Google Analytics plugin is installed on over three million websites, making this vulnerability even more concerning.
The WordPress security company Patchstack, which discovered the vulnerability, published details:
“Rafie Muhammad (Patchstack) discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Google Analytics through the MonsterInsights plugin.
This could allow a malicious actor to inject your website with malicious scripts such as redirects, advertisements, and other HTML payloads that run when guests visit your site.
This vulnerability has been fixed in version 8.14.1.”
The MonsterInsights plugin changelog in the WordPress plugin repository offered a somewhat vague explanation of the security patch:
“Fixed: We fixed a PHP warning error and added additional security reinforcements.”
“Security hardening” is a term that can be applied to many tasks related to attack vector reduction, such as removing the version number.
WordPress has published an entire security hardening page that recommends security hardening tasks such as: For example, regular database backups, getting themes and plugins from trusted sources, and using secure passwords.
All of these activities increase security.
For this reason, using the phrase “security hardening” is a generic and generic term for something as specific (and important) as patching an XSS vulnerability, which could cause a user to skip updating their plugin.
Recommended action
Patchstack recommends all MonsterInsights Analytics Plugin users to immediately update their WordPress plugin to the latest version or at least version 8.14.1.
Read the announcement from the US National Vulnerability Database:
CVE-2023-23999 details
Read Patchstack’s announcement:
WordPress Google Analytics by MonsterInsights Plugin <= 8.14.0 is vulnerable to Cross Site Scripting (XSS)
