Million of sites are affected
Current versions of WordPress are vulnerable to a stored XSS. An unauthenticated attacker can inject JavaScript in WordPress comments. The script is triggered when the comment is viewed.
If triggered by a logged-in administrator, under default settings the attacker can leverage the vulnerability to execute arbitrary code on the server via the plugin and theme editors.
Alternatively the attacker could change the administrator’s password, create new administrator accounts, or do whatever else the currently logged-in administrator can do on the target system.
Affected Versions
- 3.9.3
- 4.1.1
- 4.1.2
Researcher Jouko Pynnönen released a Zero-Day Exploit for WordPress. But why would someone release something which could affect millions of websites? Well according to Jouko Pynnönen, they have tried numerous times to contact WordPress but are unable to get any reply from them.
WordPress has refused all communication attempts about our ongoing security vulnerability cases since November 2014. We have tried to reach them by email, via the national authority (CERT-FI)
No answer of any kind has been received since November 20, 2014. According to our knowledge, their security response team have also refused to respond to the Finnish communications regulatory authority who has tried to coordinate resolving the issues we have reported, and to staff of HackerOne, which has tried to clarify the status our open bug tickets.
How does the zero-day exploit work?
A vulnerable site allows hacker to enter malicious javascript code into the comments section, which should be blocked anyway, restricting comments. If the exploit is successful, the hacker can create new admin accounts, change passwords, simply what any admin of the site was allowed to.
If the comment text is long enough, it will be truncated when inserted in the database. The MySQL TEXT type size limit is 64 kilobytes, so the comment has to be quite long.
The truncation results in malformed HTML generated on the page. The attacker can supply any attributes in the allowed HTML tags, in the same way as with the two recently published stored XSS vulnerabilities affecting the WordPress core.
…the injected JavaScript apparently can’t be triggered in the administrative Dashboard so these exploits seem to require getting around comment moderation e.g. by posting one harmless comment first.
Demonstration
How To Prevent The Exploit?
Update your WordPress to version 4.2.1.
To prevent exploitation, administrators should disable comments (Dashboard, Settings/Discussion, select as restrictive options as possible). Do not approve any comments.
