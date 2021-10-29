In yet another vulnerability that could have serious repercussions, cybersecurity researchers have discovered a cross-site scripting(XSS) bug in the NextScripts: Social Networks Auto-Poster plugin for WordPress .

The plugin is used to automatically publish posts from websites to any of the configured social media accounts in a fully automated manner.

Discovered by Wordfence ’s Ramuel Gall, the vulnerability in the popular WordPress plugin with over 100,000 installations, made it possible to perform a reflected cross-site scripting attack.

“As with all XSS attacks, malicious JavaScript running in an administrator’s session could be used to add malicious administrative users or insert backdoors into a site, and thus be used for site takeover,” observes Gall .

Superglobal quirk

While explaining the bug, Gall notes that the XSS vulnerability reared its head because of a relatively obscure peculiarity of how PHP handles superglobal variables.

“This meant that it was possible to execute JavaScript in the browser of a logged-in administrator by tricking them into visiting a self-submitting form that sent a POST request to their site,” says Gall.

The vulnerability was disclosed to the plugin’s developer in August, and a patched update of the plugin was released in early October.

Wordfence suggests all users of the plugin update to its latest version to prevent abuse of their WordPress websites .