Popular WordPress Plugin Hit by Security Flaw, Update Today

Up to 1.5 million sites may be vulnerable to XSS attacks, according to researchers at a WordPress security firm.

Whether you’ve got one of the best WordPress hosting plans or not, you could be a target for cyber criminals. That much is clear after the revelation that users of a popular WordPress plugin may be left vulnerable to cyber criminals if they’re not running the latest version.

According to researchers from WordPress focused security company Defiant, a flaw in Beautiful Cookie Consent Banner leaves sites with the plugin installed at risk of Cross-Site Scripting, otherwise known as XSS, attacks.

This type of threat is essentially when bad actors (as hackers and cyber criminals are often called in online security circles) infect websites with malicious JavaScript code via a vulnerability, like the one found in the plugin. They can then take any number of unauthorized actions, whether it’s stealing sensitive information, staging a malware attack, or even completely taking over the website in question.

Up to 1.5 Million Attacks Linked to Flaw

Ram Gall, a security researcher and part of the Defiant team, shared full details of the vulnerability on the Wordfence website.

The short version is that the Beautiful Cookie Consent Banner flaw allows hackers to create fake WordPress admin accounts, which then theoretically gives them access to, and control of, entire websites.

He says that up to 1.5 million websites may have been targeted by as many as 3 million separate attacks, all related to the Beautiful Cookie Consent Banner flaw. If that’s enough bad news for a weekend, don’t worry — there’s a silver lining to this particular cloud.

What Beautiful Cookie Users Should Do Right Now

Gall adds that Beautiful Cookie’s creators have already released a patch addressing the flaw. This means it’s easy to protect yourself and your website against the vulnerability mentioned above.

To make sure you’re fully buffered against XSS attacks, anyone using (or thinking of using) the plugin should make sure they are running version 2.10.2. This is the latest version and what should be automatically downloaded if you’re new to the plugin, though it’s worth checking just in case.

Webmasters with older versions of the plugin are being urged to update to the patched version as a matter of importance, even if Gall and his team don’t deem the vulnerability to be a critical one in its present form.

Did you find this article helpful? Click on one of the following buttons
We're so happy you liked! Get more delivered to your inbox just like it.

We're sorry this article didn't help you today – we welcome feedback, so if there's any way you feel we could improve our content, please email us at contact@tech.co

Written by:
James Laird is a technology journalist with 10+ years experience working on some of the world's biggest websites. These include TechRadar, Trusted Reviews, Lifehacker, Gizmodo and The Sun, as well as industry-specific titles such as ITProPortal. His particular areas of interest and expertise are cyber security, VPNs and general hardware.
Explore More See all news
Back to top
close Thinking about your online privacy? NordVPN is Tech.co's top-rated VPN service See Deals