XSS Vulnerability in Wordfence 6.1.1 to 6.1.6. Severity: 6.1 (Medium)

An hour ago a security researcher, Kacper Szurek, reported a reflected XSS vulnerability in the current version of Wordfence. Wordfence is now using CVSS as our standard vulnerability scoring mechanism. The severity of this vulnerability is 6.1 (Medium).

Impact

This only affects Wordfence users who have the Wordfence firewall disabled. Wordfence has built in protection against XSS vulnerabilities and has had since version 6.1.1, so if your firewall is enabled you are not affected. If you have the firewall in learning mode or disabled, you are not protected against this vulnerability.

What to do

We have already released a fix. If you have Wordfence set to auto-update then it will automatically update to Wordfence 6.1.7 within the next 24 hours and you don’t have to take any action. If you have the Wordfence firewall enabled, you are already protected and were never affected by this issue.

If you have Wordfence auto-update disabled and you have the firewall in learning mode or disabled, we recommend you sign into your website and manually upgrade Wordfence to version 6.1.7 now. We also suggest that you consider enabling your Wordfence firewall if that is feasible for you.

Vulnerability Info

CVSS Severity: 6.1

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Vulnerability Type: Reflected XSS (Cross Site Scripting)

Kacper has shared a proof of concept for this vulnerability with us which we have verified. We will not be sharing it at this time but may share it at a future date.

Further notes on vulnerability disclosure by Wordfence

At Wordfence we practice responsible disclosure both on products belonging to other vendors and on our own product. Even though this is our own product, you will see a style of disclosure here that uses the same standards that we use when we disclose vulnerabilities relating to other vendor’s products.

Wordfence has now standardized on using the CVSS 3.0 vulnerability scoring system which we have included in this post. Going forward we will include the CVSS score of every vulnerability in the subject of our blog posts and in an email alert we send to our community. This gives our community an immediate indication at a glance of the severity of a vulnerability. It also provides an objective methodology of scoring vulnerabilities that is not subject to opinion or bias.

 

Did you enjoy this post? Share it!

Comments

5 Comments
  • Did you offer a bug bounty?

    • No we did not Simon. We used to have a program but stopped doing that because some of the reports were a bit lame and in a grey area.

      • Well, you can reward people for reporting bugs like this one without having an official program, just saying.

  • Thank you for your valuable information! I have Firewall installed but am confused as to who to set it up. Do you have a link for instructions? Thank you!