Zero-day vulnerability exploited in WordPress Lara Google Analytics plugin.

The WordPress Lara Google Analytics plugin, which has 20,000+ active installations, was prone to an authenticated stored XSS vulnerability in version 2.0.4 and below.

This vulnerability is currently being exploited, make sure to follow the recommendations below.

Reference

A CVE ID has been requested and we’ll update this post when it is assigned.

Authenticated Stored XSS

In the main “lara-google-analytics.php” script, the lrgawidget_setProfileID action is used to call the lrgawidget_callback function via the WordPress AJAX API.

add_action( 'wp_ajax_lrgawidget_setProfileID', 'lrgawidget_callback' );
...
...
function lrgawidget_callback() {
   global $wpdb;
   $user_id = get_current_user_id();
   $lrperm = lrgawidget_internal_permissions();
   $lrdata = $_POST;
   $modifiedAction = explode("_", $lrdata['action']);
   $lrdata['action'] = $modifiedAction[1];

   if ($lrdata['action'] == "setProfileID"){
      if ( (isset($lrdata['enable_universal_tracking'])) && !empty($lrdata['property_id'])){
         update_option('lrgawidget_property_id', $lrdata['property_id']);
      }else{
         delete_option('lrgawidget_property_id');
      }
   }
...
...

Attackers are using it to inject JS code in the property_id field. It is injected into all pages and posts of the CMS:

Note that the attack requires a user account on the blog, such as a subscriber.

Timeline

The vulnerability was reported to the wordpress.org team on October 13, 2019, and a new version 2.0.5 was released the same day.

Recommendations

Update as soon as possible if you have version 2.0.4 or below installed.
Note that the new version was released only a few hours after we reported the issue – which is a great thing – and it does block the ongoing attack, however it still lacks capability check and hopefully the author will come up with a better patch in the next few days.

If you are using our web application firewall for WordPress, NinjaFirewall WP Edition (free) and NinjaFirewall WP+ Edition (premium), you are protected against this vulnerability.

Stay informed about the latest vulnerabilities in WordPress plugins and themes: @nintechnet