WordPress has released a security update for a zero-day flaw discovered in versions 4.2 and earlier of its popular blogging platform which could allow hackers to remotely control the server.
The stored cross site scripting (XSS) vulnerability allows an unauthenticated attacker to inject JavaScript into WordPress comments, triggering the script when the comment is viewed, according to Finnish researcher, Jouko Pynnönen.
He explained in a blog post on Sunday:
“If triggered by a logged-in administrator, under default settings the attacker can leverage the vulnerability to execute arbitrary code on the server via the plugin and theme editors. Alternatively the attacker could change the administrator’s password, create new administrator accounts, or do whatever else the currently logged-in administrator can do on the target system.”
The vulnerability is apparently similar to one discovered by Cedric Van Bockhaven last year and only just patched by WordPress last week after 14 months.
That flaw worked by using invalid characters to truncate the comment, resulting in malformed HTML which an attacker can manipulate.
This newly discovered one uses “an excessively long comment” to achieve the same effect.
“In these two cases, the injected JavaScript apparently can't be triggered in the administrative Dashboard so these exploits seem to require getting around comment moderation e.g. by posting one harmless comment first,” explained Pynnönen.
WordPress has released a patch for the flaw, and in the meantime, admins are urged to disable all comments.
However, there were harsh words from the Klikki Oy researcher – who claimed the blogging giant had “refused all communication attempts,” even when made via intermediaries such as CERT-FI and HackerOne.
WordPress is, of course, no stranger to security alerts, although most of the vulnerabilities discovered in its platform usually reside with plug-ins.
Just last week, security firm Sucuri warned of multiple WordPress XSS plug-in vulnerabilities due to misuse of the popular add_query_arg() and remove_query_arg() functions.
“The difference between these two latest vulnerabilities and what we've grown used to handling is the fact that these particular vulnerabilities target the core WordPress CMS engine, as opposed to targeting particular plug-ins,” said Rapid7 engineering manager, Todd Beardsley.
“Since these vulnerabilities affect default installations of WordPress, they naturally have a much wider reach, both on the public internet and in internal, intranet installations.”