November 27, 2021
WordPress NextScripts Social Networks Auto-Poster Plugin Security Vulnerability Discovered

WordPress Site Administrators, Delete this Plugin Immediately because Hackers can Seize Control

WordPress social media sharing plugin NextScripts automatically posts new content but contains a serious security flaw hackers can exploit…

WordPress remains one of the most popular (if not the most popular) CMS on the internet. But, with that ubiquity comes a larger-than-life, all-too-tempting target for threat actors. Plugins make administering sites easier, but also represent potential threats for the same reason — the ability to carry out various attacks. Recently, Wordfence’s Ramuel Gall discovered a vulnerability in a WordPress plugin with over 100,000 installations.

WordPress NextScripts Social Networks Auto-Poster Plugin Security Vulnerability Discovered

The plugin in question is NextScripts Social Networks Auto-Poster. As the name states, it automatically posts new content to social media when it goes live. Fortunately, the security flaw was disclosed to the developer and a fix has already been issued. So, it’s imperative for any site administrator using this backend package to update it to the most recent version immediately. Gall explains:

“As with all XSS attacks, malicious JavaScript running in an administrator’s session could be used to add malicious administrative users or insert backdoors into a site, and thus be used for site takeover. This meant that it was possible to execute JavaScript in the browser of a logged-in administrator by tricking them into visiting a self-submitting form that sent a POST request to their site.”

Ashley Lipman

Ashley Lipman is a super-connector with Outreachmama who helps businesses find their audience online through outreach, partnerships, and networking.

View all posts by Ashley Lipman →