JetPack and TwentyFifteen Vulnerable to DOM-based XSS
Automattic and the WordPress team left a simple example.html file that had the vulnerability embedded.
Both Plugins, JetPack and TwentyFifteen are installed in millions of websites. JetPack, a plugin which offers performance and customization and TwentyFifteen theme which is installed by default. The payload is executed directly in the browser therefore it doesn’t go the server side. Which again means firewalls are unable to view the execution and stop it. For the exploit to work, one must click the malicious link provided by the hacker, you will not be exploited unless you click some malicious link.
The XSS vulnerability is very simple to exploit and happens at the Document Object Model (DOM) level. If you are not familiar with DOM attacks.
DOM-Based XSS is an XSS attack wherein the attack payload is executed as a result of modifying the Document Object Model (DOM) “environment” in the victim’s browser used by the original client side script, so that the client side code runs in an “unexpected” manner. That is, the page itself (the HTTP response that is) does not change, but the client side code contained in the page executes differently due to the malicious modifications that have occurred in the DOM environment.
How to fix it?
Fortunately, the fix for this one is pretty straight forward. Remove the unnecessary genericons/example.html file or make sure you have a WAF or IDS that is blocking access to it. Because of the low severity, but mass impact we reached out to our network of hosting relationships in an effort to virtually patch this for millions of WordPress users as quickly as possible
