Cloud Security, Network Security, Vulnerability Management

Wix patches DOM XSS flaw

A security researcher says he has discovered a severe cross-site scripting (XSS) flaw in code used by the drag-and-drop website builder Wix that could lead to a worm affecting websites created by users of the DIY website platform.

The vulnerability, discovered by Contrast Security senior software engineer Matt Austin, could prompt websites created by Wix's 87 million registered users to deliver a JavaScript payload. “Simply by adding a single parameter to any site created on Wix, the attacker can cause their JavaScript to be loaded and run as part of the target website,” Austin wrote on the company's Security Influencers blog.

Attackers could exploit the vulnerability to create worms that are able to gain administrator level access to accounts. Wix patched the vulnerability on Wednesday between 3:00 to 6:00 PM EST and created a bug bounty program as a result of the incident, Austin added.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.