CVE-2016-10866

Vulnerability

The All-in-One WP Security & Firewall plugin for WordPress (all-in-one-wp-security-and-firewall) versions before 4.2.0 contain multiple cross-site scripting (XSS) vulnerabilities. These issues arise from insufficient input sanitization and output escaping in various plugin components, allowing unauthenticated or low-privileged attackers to inject malicious scripts. The affected versions are all releases prior to 4.2.0 [1].

Exploitation

An attacker can exploit these XSS flaws by crafting a malicious URL or input that, when processed by the plugin, executes arbitrary JavaScript in the context of a victim's browser. No authentication is required if the vulnerable endpoint is publicly accessible; however, some vectors may require user interaction (e.g., clicking a link) or an administrator to visit a crafted page. The exact attack surface depends on the specific vulnerable parameter, but common vectors include unsanitized input in login forms, comment fields, or admin panels.

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim's browser. This can lead to session hijacking, cookie theft, defacement, redirection to malicious sites, or other actions performed within the context of the affected WordPress site. The impact is limited to the browser session of the targeted user, but if an administrator is targeted, the attacker may gain elevated privileges or perform administrative actions.

Mitigation

Users should update the All-in-One WP Security & Firewall plugin to version 4.2.0 or later, which contains the fixes for these XSS issues. The current stable version as of the reference is 5.4.7 [1]. No workarounds are documented; updating is the recommended mitigation. The plugin is actively maintained, and no EOL status has been announced.