The recent discovery of a critical cross-site scripting (XSS) vulnerability in versions 3.1.6 and below of the popular WP Adminify plugin is extremely concerning for WordPress site owners. This vulnerability, if exploited, could allow attackers to inject malicious JavaScript code into admin dashboards and fronts facing sites.
As reported by security researcher Rio Darmawan, this vulnerability stems from insufficient input sanitization in the plugin code. Site admins using vulnerable versions of WP Adminify are strongly advised to update or remove the plugin immediately. Unfortunately, at the time of writing, no patched version appears to be available.
For site owners unable to update or remove WP Adminify, extra precautions are required. Enabling a web application firewall (WAF) like wp-firewall.com's free WordPress firewall plugin can provide an added layer of protection while a patch is developed. A WAF inspects incoming traffic and blocks XSS attempts and other attacks before they reach the site.
With XSS vulnerabilities among the most common and dangerous facing WordPress sites today, we urge users of WP Adminify to take action. Migrate to a safe alternative, or implement temporary mitigations like a WAF. Don't leave your site and data exposed!
Readers can improve their WordPress security posture by signing up for wp-firewall.com's free WordPress firewall plugin via their pricing page: https://wp-firewall.com/pricing/
source: vuldb.com