WordPress CMS which is used by millions of websites is now having a vulnerability of cross-site scripting which will enable attackers take control of a website’s admin account.
The flaw was discovered by Jouko Pynnönen which is a cross-site scripting (XSS) bug buried within the popularly used web phishing software’s comments system.
The vulnerability can be found and affects the WordPress versions 3.9.3, 4.1.1, 4.1.2, and the previously patched version 4.2.
Pynnönen disclosed the flaw on his blog on Sunday before the WordPress team could release a patch for the software : according to Pynnönen he feared wordpress would take too long to fix the hole, and wanted to warn users beforehand.
“I didn’t report the bug to the vendor this time,” Pynnönen told The Register in an email earlier today.
The video below demonstrates the attack:
The flaw is similar to that discovered by researcher Cedric Van Bockhaven, which WordPress finally got around to patching last week. Bockhaven found that certain invalid characters in comments would allow malicious JS code to slip through and execute in visitors’ browsers. This new bug relies of excessively long comments rather than invalid characters to break the filtering.
“Communication with WordPress developers has been difficult. During the past months I’ve been trying to find out what they are doing about my previous (yet unreleased) bug. I haven’t got any communication from them since November despite trying to ask them directly, via HackerOne staff, and even with help from our national authority (CERT-FI).
“They simply seem to ignore all inquiries. There has been no explanation as to why the bug is still not fixed. It was supposed to happen in November. All WordPress versions are still vulnerable.”
“[WordPress] took 14 months to produce the code to detect invalid characters in comments,” Pynnönen told us, explaining why he revealed his XSS bug before a patch was available.
When the comment is processed by someone with WordPress admin rights to the website, the malicious code will be executed without giving any indication to the admin.
By default, WordPress does not automatically publish a user’s comment to a post until and unless the user has been approved by the administrator of the site.
Hackers can bypass this limitation, which once their comment is approved, it would enable further malicious comments from that person to be automatically approved and published to the same post.
To fix this bug users with admin privileges should upgrade their WordPress CMS to WordPress 4.2.1 by venturing over to Dashboard → Updates and simply click “Update Now”.