A crucial cross-site scripting flaw is patched in the latest WordPress Update – 4.0.1. The vulnerability compromises comment boxes on websites that apply the content management system software. Exploiting the flaw, an attacker would have to inject malicious JavaScript in a comment. This way when a reader or an administrator views the comment, he would be automatically infected.
According to the Finnish researcher Jouko Pynnonen, this is the most apparent scenario for an attack. The vulnerability is not visible to the regular user. The JavaScript gets executed as soon as the admin of the web page opens the Comment section. This action grants the script admin privileges, and it can perform numerous operations.
Together with another college Klikki Oy, the researcher has developed an exploit which is capable of adding accounts, changing password and using the plug-in editor in order to write malevolent PHP code to the server using the admin console. The exploit can also delete the inserted script from the database.
In case the cyber criminal uses the plugin editor to write a new PHP code in the server, another AJAX request can be applied to execute it instantly, granting the attacker operating system level access on the server.
XSS Flaw Present in Versions 3.0 and 3.9.2
Cross-site scripting still presents a serious problem to web security. An XSS attack allows cyber criminals to gain control over a website by modifying HTML fields and web forms.
An expert with the SANS Institute reveals that the flaw is present in the 3.0 and the 3.9.2 versions. The vulnerability is not to be found in the 4.0.1 version due to the different regular expression.
The update also patches:
- three other cross-site scripting vulnerabilities
- a cross-side request forgery bug
- a highly improbable hash collision that may lead to account compromise
- a denial-of-service flaw related to password checks
The WordPress Team also announced that it cancels links in a password reset email in case the user remembers the password and logs in and changes their email address.
At the same time, Sucuri researchers reported another cross-site scripting flaw in the WP-Statistics WordPress plug-in. According to the experts, the bug affects websites that use version 8.3 or lower. The plug-in was addressed in version 8.3.1
Researcher Marc-Alexandre Montpas said:
→“An attacker can use Stored Cross Site Scripting (XSS) and Reflected XSS attack vectors to force a victim’s browser to perform administrative actions on its behalf. Leveraging this vulnerability, one could create new administrator account[s], insert SEO spam in legitimate blog posts and a number of other actions within the WordPress’s admin panel.”
Technical details will be available in thirty days.