More than a dozen WordPress plugins have been updated to patch vulnerabilities that allow attackers to inject potentially dangerous commands into the browsers of people visiting trusted websites. Administrators responsible for WordPress sites should make sure the fixes are installed as soon as possible.
The cross-site scripting (XSS) vulnerabilities make it possible for hackers to concoct special address URLs that inject client-side code into vulnerable Web pages viewed by visitors. Exploits can steal highly sensitive authentication cookies, which give users access to their private accounts without having to enter a password. XSS attacks can also change the content inside a vulnerable Web page. Along with SQL injection exploits, XSS attacks are among the most common class of attacks carried out on the Internet.
In the past few days, more than a dozen WordPress plugins have been updated to purge XSS vulnerabilities. According to an advisory published by Web application security firm Sucuri, they are: