WordPress Sites Are Vulnerable To XSS Attack

WordPress Sites Are Vulnerable To XSS Attack

WordPress users, beware! Researchers at Finnish security firm Klikki have uncovered a vulnerability in the latest and earlier WordPress versions (4.2). They have identified that the sites running latest and earlier WordPress versions are vulnerable to a stored cross-site scripting (XSS) attack that allows hackers to inject malicious JavaScript in WordPress comments. 

According to the researchers, "If [the script] triggered by a logged-in administrator, under default settings the attacker can leverage the vulnerability to execute arbitrary code on the server via the plugin and theme editors. Alternatively the attacker could change the administrator’s password, create new administrator accounts, or do whatever else the currently logged-in administrator can do on the target system."

Vulnerable Versions: WordPress 4.2, 4.1.2, 4.1.1, 3.9.3 (Tested with MySQL versions 5.1.53 and 5.5.41).

The vulnerability bears a similarity to the one reported by Cedric Van Bockhaven in 2014 (patched this week, after 14 months). Instead of using an invalid character to truncate the comment, this time an excessively long comment is used for the same effect.

If the comment text is long enough, it will be truncated when inserted in the database. The truncation results in malformed HTML generated on the page. 

Proof Of Concept:

Enter as a comment text:
<a title='x onmouseover=alert(unescape(/hello%20world/.source)) style=position:absolute;left:0;top:0;width:5000px;height:5000px  AAAAAAAAAAAA...[64 kb]..AAA'></a>

How To Prevent Exploitation ?

Disable and do not approve any comments until WordPress comes out with a patch.

No comments

Powered by Blogger.