New WordPress Zero-Day: Are you in trouble?

New WordPress Zero-Day: Are you in trouble? 3 mins read

A new zero-day exploit for the WordPress platform has officially been announced. Security researcher Juoko Pynnonen discovered a Cross-Site Scripting (XSS) vulnerability that affects WordPress versions 4.2 and below.

 

This vulnerability allows an attacker to execute JavaScript via the WordPress comment field.

 

If you’re asking yourself what this means for you, you’ll need to do two things:

  1. See if you have WordPress comments enabled (tutorial here)
  2. If you do: is it the WordPress-based commenting system? Or an external one like Disqus (which we use)

 

If you answered yes to both of these questions — you should immediately update your system to the most current version of WordPress (currently 4.2.1).

 

The Technical Aspect

I wanted to include this section for folks who might have more of a technical background and be looking for more information. Pynnonen has published the actual details here: http://klikki.fi/adv/wordpress2.html.

 

His explanation is as follows:

 

If the comment text is long enough, it will be truncated when inserted in the database. The MySQL TEXT type size limit is 64 kilobytes, so the comment has to be quite long.

 

Although this is true, the executable code is out there.

 

The truncation results in malformed HTML generated on the page. The attacker can supply any attributes in the allowed HTML tags, in the same way as with the two recently published stored XSS vulnerabilities affecting the WordPress core.

 

…Just hold on tight, here:

 

In these two cases, the injected JavaScript apparently can’t be triggered in the administrative Dashboard so these exploits seem to require getting around comment moderation e.g. by posting one harmless comment first.

 

So there is a silver lining. It can’t be triggered by the administrative dashboard. I would honestly recommend migrating your commenting system to a plugin like Disqus. It simplifies moderation and removes most SPAM from the mix. Here is the proof of concept:

 

 

 

If you’re confused by WordPress and how to secure your company website: nDigit can help! Contact us for more information.

Related Posts