WordPress has fixed in its newest version (4.0.1) a critical cross-site scripting vulnerability that could allow anonymous attackers to compromise WordPress web sites, according to its security release.
The cross-site scripting flaw, which occurs on versions from 3.0 to 3.9.2, was discovered by Jouko Pynnonen from Klikki Oy IT company.
The Java script gets executed, and gains administrator privileges, when the blog admin enters the Comments section from its Dashboard to review comments.
“For instance, our PoC exploits first clean up traces of the injected script from the database, then perform other administrative tasks such as changing the current user’s password, adding a new administrator account, or using the plugin editor to write attacker-supplied PHP code on the server (this impact applies to any WordPress XSS if triggered by an administrator).”
All operations occur in the background so as to not raise any flags for the site administrator. The exploit will give the attacker user privileges corresponding with the user who triggered it.
Luckily, the exploit cannot be triggered if the WordPress user only accesses the Dashboard, due to the snippets of its latest comments.
Some 85.5 per cent of all WordPress installations use versions 3.0 to 3.9.2, which are all vulnerable to this flaw. WordPress administrators are advised to update to 4.0 or 4.0.1 or apply the workaround issued by Klikki in its advisory.
The security update also fixes 23 flaws from the WordPress 4.0 version among others.