Security researcher Kacper Szurek reported a reflected XSS vulnerability in the current version of Wordfence. The CVSS scoring mechanism rates the severity of this XSS vulnerability as medium. A Wordfence update 6.1.7 is released to address the XSS vulnerability.

Impact of XSS vulnerability in Wordfence

The reflected XSS vulnerability only affects Wordfence users who have the Wordfence firewall disabled. Wordfence has built in protection against XSS vulnerabilities and has had since version 6.1.1, so if your Wordfence firewall is enabled you should be protected. If you have the firewall in learning mode or disabled, you are not protected against this vulnerability.

Wordfence has released a fix. If you have Wordfence set to auto-update then it will automatically update to Wordfence 6.1.7 within the next 24 hours and you don’t have to take any action. If you have the Wordfence firewall enabled, you are already protected and were never affected by this issue.

If you have Wordfence auto-update disabled and you have the firewall in learning mode or disabled, we recommend you sign into your website and manually upgrade Wordfence to version 6.1.7 now. We also suggest that you consider enabling your Wordfence firewall if that is feasible for you.

Vulnerability information:

  • CVSS Severity: 6.1
  • CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
  • Vulnerability Type: Reflected XSS (Cross Site Scripting)
  • Kacper has shared a proof of concept for this vulnerability with Wordfence, which they have verified. Wordfence will not be sharing the proof of concept at this time but may share it at a future date.
This may interest you:   WhatWorks in AppSec: ASP.NET Defend Against Cross-Site Scripting Using The HTML Encode Shortcuts

Read more about this reflected XSS vulnerability in Wordfence 6.1.1 to 6.1.6.