Zero Day Vulnerability Discovered In WordPress

OLYMPUS DIGITAL CAMERAMost WordPress vulnerabilities are minor, involving the use of outdated themes, plugins or other third-party software. However, a team of Finnish researchers has recently discovered a new zero-day vulnerability that allows hackers to execute code remotely on WordPress servers.

Juoko Pynnonen first reported the bug on Klikki Oy, describing it as a javascript injection vulnerability. According to Pynnonen’s report, hackers can use this vulnerability in websites running WordPress 4.2 or earlier to inject malicious JavaScript code into the site’s comment field. Assuming the comment is a minimum of 66,000 characters long, the JavaScript will be executed when someone views the comment.

An unauthenticated attacker can store JavaScript on WordPress pages and blog posts. If triggered by an administrator, this leads to server-side code execution under default settings,” said Pynnonen. “A usable comment form is required. It looks like the script is not executed in the admin Dashboard, but only when viewing the post/page where the comment was entered. If comment moderation is enabled (the default setting) then the comment won’t appear on the page until it has been approved by an admin/moderator. Under default settings, after one ‘harmless’ comment is approved, the attacker is free from subsequent moderation and can inject the exploit to several pages and blog posts.”

Surprisingly, this isn’t the first cross-site scripting vulnerability identified in WordPress. Earlier this month, WP developers released a new update to patch a similar vulnerability. While each of these vulnerabilities are unique, they both rely on code injects to harm websites.

Video: WordPress 4.2 stored XSS

You can click on the play button above to see a demonstration of how the most recent zero-day WordPress vulnerability works. It’s a rather simple bug that wreaks havoc on websites running the WordPress content management system (CMS).

So, how can you protect your website against this vulnerability? The only viable solution as of now is to disable commenting. This can be done by logging into your site’s dashboard and choosing Settings > Discussion > and unticking the box that allows visitor commenting. Of course, WordPress developers should be patching this vulnerability in the upcoming days, so make sure your site is running the latest version.

Summary
Article Name
Zero Day Vulnerability Discovered In WordPress
Description
Most WordPress vulnerabilities are minor, involving the use of outdated themes, plugins or other third-party software. However, a team of Finnish researchers has recently discovered a new zero-day vulnerability that allows hackers to execute code remotely on WordPress servers.
Author

Leave a Reply

Your email address will not be published. Required fields are marked *