Most WordPress vulnerabilities are minor, involving the use of outdated themes, plugins or other third-party software. However, a team of Finnish researchers has recently discovered a new zero-day vulnerability that allows hackers to execute code remotely on WordPress servers.
Surprisingly, this isn’t the first cross-site scripting vulnerability identified in WordPress. Earlier this month, WP developers released a new update to patch a similar vulnerability. While each of these vulnerabilities are unique, they both rely on code injects to harm websites.
Video: WordPress 4.2 stored XSS
You can click on the play button above to see a demonstration of how the most recent zero-day WordPress vulnerability works. It’s a rather simple bug that wreaks havoc on websites running the WordPress content management system (CMS).
So, how can you protect your website against this vulnerability? The only viable solution as of now is to disable commenting. This can be done by logging into your site’s dashboard and choosing Settings > Discussion > and unticking the box that allows visitor commenting. Of course, WordPress developers should be patching this vulnerability in the upcoming days, so make sure your site is running the latest version.