The Pakistan Telecommunication Authority (PTA) has issued a cybersecurity advisory warning website administrators and developers about multiple vulnerabilities detected in several popular WordPress plugins, posing serious security risks to websites, including those in Pakistan.
According to the advisory, multiple Cross-Site Request Forgery (CSRF) vulnerabilities have been identified in plugins, including MetricThemes Munk Sites, FancyWP Starter Templates, OneStore Sites, WP Keyword Monitor, URL-Preview-Box, Vignette Ads, Show Notice or Message on Admin Area, WP Social Stream, and WP Admin Custom Page. These flaws could allow attackers to perform unauthorized actions on behalf of authenticated users without their consent.
PTA noted that, in some cases, the CSRF vulnerabilities could also lead to Stored Cross-Site Scripting (XSS) attacks, which can further compromise website integrity, steal user data, or inject malicious scripts. The severity of the identified threat has been classified as high, with both CSRF and XSS vectors posing significant exploitation potential if not mitigated promptly.
The advisory urged WordPress users and developers to immediately update the affected plugins to their latest available versions and follow official WordPress security guidelines. It further recommended restricting administrative privileges, enforcing the principle of least privilege, and using trusted security plugins to detect and prevent CSRF and XSS attacks.
PTA also emphasized the importance of user awareness and developer responsibility, advising that CSRF tokens (nonces) be properly implemented and employees be trained in safe computing practices, including recognizing phishing attempts and maintaining secure browsing habits.