Digital Climate Strike WP <= 1.0.0 – Redirect to Malicious Website due to Compromised JS Asset

Description

The plugin loads a JavaScript asset from a remote website which seems to have been compromised. The widget.js file, loaded from https://assets.digitalclimatestrike.net/widget.js, redirects users to gladdiator[dot]io and is being flagged as malicious.

I've reported this to the plugin authors but have not heard anything back yet.

Proof of Concept

The PoC will be displayed once the issue has been remediated.

Affects Plugins

digital-climate-strike-wp

No known fix

References

URL

https://github.com/fightforthefuture/digital-climate-strike-wp/issues/13

Classification

Type

REDIRECT

OWASP top 10

A1: Injection

CWE

CWE-601

CVSS

8.3 (high)

Miscellaneous

Original Researcher

Steve Perry

Submitter

Steve Perry

Submitter website

https://steveperrycreative.com

Submitter twitter

stevemarkperry

Verified

WPVDB ID

70ac3402-6ff7-48f5-b115-50e6b26f70de

Timeline

Publicly Published

2021-01-21 (about 3 years ago)

Added

2021-01-21 (about 3 years ago)

Last Updated

2021-01-22 (about 3 years ago)

Other

Published

Title

Published

2020-03-31

Title

WordPress SEO Plugin - Rank Math < 1.0.41 - Redirect Creation via Unprotected REST API Endpoint

Published

2023-12-27

Title

Advanced Access Manager < 6.9.19 - Open Redirect

Published

2014-08-01

Title

Age Verification <= 0.4 - Open Redirect

Published

2018-12-01

Title

Ninja Forms <= 3.3.19 - Authenticated Open Redirect

Published

2014-11-26

Title

Ad Manager <= 1.1.2 - Open Redirection