One of the most popular WordPress themes in the world recently fixed a security issue that security researchers believe may have fixed a stored XSS vulnerability. The Astra changelog provided an explanation for this security update.
We have improved the security of our codebase to provide better protection for your website.
However, the changelog does not provide details about the vulnerability or its severity. This lack of information makes it difficult for theme users to decide whether to update immediately or to first test compatibility with other plugins.
SEJ reached out to the Patchstack WordPress security company who verified that Astra may have patched a cross-site scripting vulnerability.
Brainstorm Force Astra WordPress Theme
Astra is known as one of the most popular WordPress themes globally. It is a free theme that is lightweight, user-friendly, and helps create professional-looking websites. Additionally, Astra includes integrated Schema.org structured data.
Cross-Site Scripting Vulnerability (XSS)
A common type of vulnerability found on WordPress is cross-site scripting, which often occurs within third-party plugins and themes. This vulnerability arises when there is a way to input data, but the plugin or theme does not adequately filter the input or output, allowing an attacker to upload a malicious payload.
This specific vulnerability is known as a stored XSS, where the payload is directly uploaded to the website server and stored.
The non-profit organization OWASP provides a definition of a stored XSS vulnerability on their website. Stored attacks occur when a harmful script is saved on the target servers, like in a database, message forum, visitor log, or comment field. The victim unknowingly retrieves the malicious script from the server when accessing the stored information. Stored XSS is also known as Persistent or Type-II XSS.
Review of Patchstack Plugin
Patchstack was contacted by SEJ for a review of the plugin. They quickly examined the modified files and discovered a potential security concern in three WordPress functions. These functions are pieces of code that can alter the behavior of WordPress features, like adjusting the length of an excerpt. They can also bring in customizations and introduce fresh elements to a theme.
Patchstack explained their findings:
“I downloaded version 4.6.9 and 4.6.8 (free version) from the WordPress.org repository and checked the differences.
It looks like some functions have been modified to prevent the return value from the WordPress function get_the_author. This function displays the user's "display_name" property, which may contain harmful content that could lead to a cross-site scripting vulnerability if displayed without any output escaping function.
The following functions have had this change made to them:
astra_archive_page_info
astra_post_author_name
astra_post_author
If a contributor writes a post and then changes their display name to include a harmful code, that code will run when a visitor views the page with the harmful display name.
In WordPress, untrusted data can lead to XSS vulnerabilities when a user is allowed to input data.
These processes help secure a WordPress website and are known as Sanitization, Validation, and Escaping.
Sanitization is like a filter for input data, ensuring it is clean and safe. Validation involves checking input to make sure it matches the expected format, such as text instead of code. Escaping output ensures that anything displayed in the browser, like user input or database content, is safe and secure.
WordPress security company Patchstack identified changes to functions that escape data which in turn gives clues as to what the vulnerability is and how it was fixed.
Patchstack Security Advisory
It's unclear who found the vulnerability - a third party researcher or Brainstorm, the creators of the Astra theme, who then fixed it. The official Patchstack advisory provided details on this.
An unidentified individual found and reported a Cross Site Scripting (XSS) vulnerability in the WordPress Astra Theme. This flaw could potentially enable a malicious person to insert harmful scripts, like redirects, ads, and other HTML payloads, into your website. These scripts would then run when visitors access your site. Fortunately, this security issue has been addressed and resolved in version 4.6.9.
Patchstack evaluated the severity of this vulnerability as medium and gave it a score of 6.5 out of 10.
Wordfence Security Advisory
Wordfence also just published a security advisory. They analyzed the Astra files and concluded:
The Astra theme for WordPress has a vulnerability to Stored Cross-Site Scripting through a user's display name in versions up to 4.6.8. This is due to a lack of proper input sanitization and output escaping, allowing authenticated attackers with contributor-level access or higher to insert harmful web scripts on pages that will run whenever a user visits the affected page.
It is highly recommended for users of the Astra theme to update their installation to the latest version. Additionally, it is a good practice to test the updated theme for any potential errors before making it live on a website.
See also:
The WordPress Security Guide To Keep Your Site Safe
WordPress Security: 16 Steps to Secure & Protect Your Site
Featured Image by Shutterstock/GB_Art
Editor's P/S:
The recent security update for the Astra WordPress theme is a reminder of the importance of maintaining up-to-date software. While the changelog provided by the developers was lacking in details, the investigation by Patchstack and Wordfence revealed that the vulnerability was