Vulnerability found on WP-Nested Pages Plugin – patch released

WordFence threat intelligence team has been keeping busy over the past 4 weeks. The latest vulnerability found by the WordFence team marks WP-Nested Pages as a potential risk to site owners. WP-Nested Pages is a plugin that is deployed on over 80,000 WordPress websites.

What is the vulnerability found on WP-Nested Pages?

This is a Cross-site Request Forgery (CSRF) vulnerability. Wordfence mentioned on its site – “With most CSRF attacks, the victim lands on the page used to make the changes they were tricked into making, which could tip them off that something has gone wrong, especially if the changes are visible on the page,”. Due to this vulnerability, post or pages could be deleted, unpublished or assigned to a different author in bulk. The main impact of this vulnerability is the potential loss of posts and pages on the website when an attacker chooses to exploit the CSRF vulnerability.

Aside from the CSRF vulnerability, there was an open redirect vulnerability on the WP Nested Pages. As part of this vulnerability, it can be used to trick visitors into entering credentials on a phishing site by appearing to be a link to a trusted site and then redirecting them to a malicious site under an attacker’s control. Open redirect vulnerability will lead to the users being redirected to pages that have malicious code or content on the pages.

What is the fix for these vulnerabilities on the WP-Nested Pages plugin?

Both vulnerabilities have been resolved by WP-Nested Pages in the release version 3.1.16. Users of WP-Nested Pages must update the plugin to the release 3.1.16 on an immediate basis. This plugin update was released by WP-Nested Pages two weeks back i.e. somewhere in the middle of August 2021. We suggest that WordPress users of WP-Nested Pages should look into installing the patched release version 3.1.16 immediately.