How Your Website Gets Hacked, Reason #472

This morning during our daily scan of a client’s website, we noted a plugin needed an update.  Sometime in the past few hours, the author released a new version.  It is our normal practice to review the release notes of new versions of software before we install it. Buried way down in the list of changes was:

Cross-Site Scripting Vulnerability addressed

This is an obscure plugin, and the disclosure of this vulnerability was also pretty obscure.

Most website owners rarely check and update their website’s plugins, and this vulnerability might well lurk in there for many months, even years.  The hackers’ on the other hand, usually discover these sorts of vulnerabilities with days – sometimes hours. They then devise a test to check for their presence and incorporate that test into the bots they run.  It’s not uncommon for me to see bots checking for a vulnerability the next day after it has been disclosed.

And that’s how websites get hacked.