CVE-2016-10868

Vulnerability

The all-in-one-wp-security-and-firewall plugin before version 4.0.5 for WordPress contains a stored cross-site scripting (XSS) vulnerability in the blacklist, file system, and file change detection settings pages. These pages lack proper input sanitization, allowing authenticated users with administrative access to inject arbitrary JavaScript or HTML into the plugin's settings [1].

Exploitation

An attacker must have administrative privileges on the WordPress site to access the affected settings pages. By crafting malicious input (e.g., a script tag) in fields such as the blacklist IP or file change detection exclusions, the payload is stored in the database. When the page is later loaded (e.g., by the same admin or a different admin), the script executes in the context of the WordPress admin dashboard [1].

Impact

Successful exploitation results in stored XSS, enabling the attacker to execute arbitrary JavaScript in the browser of any admin viewing the settings page. This can lead to session hijacking, defacement, or further malicious actions (e.g., creating new admin accounts) within the compromised WordPress site. The attack requires administrative access, limiting the scope to users who already have elevated privileges [1].

Mitigation

The vulnerability is fixed in version 4.0.5 of the plugin. Users should update to this version or later as soon as possible. If updating is not feasible, restricting access to the WordPress admin dashboard (e.g., via IP whitelisting or role management) can reduce the risk. No known workaround fully mitigates the XSS without patching [1].