Industry News

WordPress Fixes Critical Cross-Site Scripting Flaw; WordPress 4.0.1 Released

WordPress has fixed in its newest version (4.0.1) a critical cross-site scripting vulnerability that could allow anonymous attackers to compromise WordPress web sites, according to its security release.

The cross-site scripting flaw, which occurs on versions from 3.0 to 3.9.2, was discovered by Jouko Pynnonen from Klikki Oy IT company.

“The JavaScript injected into a comment is executed when the target user views it, either on a blog post, a page, or in the Comments section of the administrative Dashboard,” Klikki’s advisory said. “In the most obvious scenario the attacker leaves a comment containing the JavaScript and some links in order to put the comment in the moderation queue.”

The Java script gets executed, and gains administrator privileges, when the blog admin enters the Comments section from its Dashboard to review comments.

“For instance, our PoC exploits first clean up traces of the injected script from the database, then perform other administrative tasks such as changing the current user’s password, adding a new administrator account, or using the plugin editor to write attacker-supplied PHP code on the server (this impact applies to any WordPress XSS if triggered by an administrator).”

All operations occur in the background so as to not raise any flags for the site administrator. The exploit will give the attacker user privileges corresponding with the user who triggered it.

Luckily, the exploit cannot be triggered if the WordPress user only accesses the Dashboard, due to the snippets of its latest comments.

Some 85.5 per cent of all WordPress installations use versions 3.0 to 3.9.2, which are all vulnerable to this flaw. WordPress administrators are advised to update to 4.0 or 4.0.1 or apply the workaround issued by Klikki in its advisory.

The security update also fixes 23 flaws from the WordPress 4.0 version among others.

About the author

Lucian Ciolacu

Still the youngest Bitdefender News writer, Lucian is constantly after flash news in the security industry, especially when something is vulnerable or exploited. Besides digging for 'hacker' scoops and data leaks, he enjoys sports, such as football and tennis.
He has also combined an interest for social and political sciences, as a graduate of the Political Science Faculty, with a passion for guitar and computer games.