WordPress 4.0.1 Update Patches Critical XSS Vulnerability

The latest version of WordPress, 4.0.1, patches a critical cross-site scripting vulnerability in comment fields that enables admin-level control over a website.

WordPress’s latest update, 4.0.1, patches a critical cross-site scripting vulnerability affecting comment boxes on websites running the content management system software.

An attacker would need only to inject malicious JavaScript into a comment that would infect a reader viewing it on the webpage or an admin in the management dashboard.

Jouko Pynnonen, a security researcher from Finland, yesterday posted some details on the Full Disclosure security mailing list, the same day WordPress released its update.

“In the most obvious scenario the attacker leaves a comment containing the JavaScript and some links in order to put the comment in the moderation queue. The exploit is not then visible to normal users, search engines, etc.,” Pynnonen said. “When a blog administrator goes to the Dashboard/Comments section to review new comments, the JavaScript gets executed. The script can then perform operations with administrator privileges.”

Pynnonen said he and fellow researcher Klikki Oy, have developed a proof-of-concept exploit that can change passwords, add accounts or use the plug-in editor to write malicious PHP code to the server from the administrator’s console. It can also remove the injected script from the database.

“If the attacker writes new PHP code on the server via the plugin editor, another AJAX request can be used to execute it instantaneously, whereby the attacker gains operating system level access on the server,” Pynnonen said.

Cross-site scripting remains a persistent nuisance to website security.

Cross-site scripting remains a persistent nuisance to website security. Using an XSS attack, a hacker could modify web forms and other HTML fields on a webpage in order to gain control. WordPress, for example, allows HTML tags in comments which exacerbated the issue in question.

“This is always a very dangerous undertaking,” cautioned Johannes Ullrich of the SANS Institute in an advisory. “The [WordPress] developers did attempt to implement the necessary safeguards. Only certain tags are allowed, and even for these tags, the code checked for unsafe attributes. Sadly, this check wasn’t done quite right. Remember that browsers will also parse somewhat malformed HTML just fine.”

Pynnonen said the vulnerability exists in version 3.0 to 3.9.2 and spans a four-year period. Version 4.0.1 does not use the same regular expression, eliminating the problem.

The update also addresses three other cross-site scripting vulnerabilities, a cross-side request forgery flaw, a denial-of-service bug related to password checks, server-side request forgery issues, and what WordPress called “an extremely unlikely hash collision” that could lead to account compromise. WordPress said it also invalidates links in a password reset email if the user remembers their password and logs in and changes their email address.

Meanwhile, researchers at Sucuri issued an advisory for another cross-site scripting vulnerability in the WP-Statistics WordPress plug-in. Researcher Marc-Alexandre Montpas said every website using version 8.3 or lower is vulnerable.

The plug-in was patched in version 8.3.1.

“An attacker can use Stored Cross Site Scripting (XSS) and Reflected XSS attack vectors to force a victim’s browser to perform administrative actions on its behalf,” Montpas said. “Leveraging this vulnerability, one could create new administrator account[s], insert SEO spam in legitimate blog posts, and a number of other actions within the WordPress’s admin panel.”

Montpas said Sucuri will release technical details in 30 days, giving users time to update the plug-in.

“The plugin fails to properly sanitize some of the data it gathers for statistical purposes, which are controlled by the website’s visitors,” Montpas said. “If an attacker decided to put malicious Javascript code in the affected parameter, it would be saved in the database and printed as-is in the administrative panel, forcing the victim’s browser to perform background tasks on its behalf.

Image courtesy John Fischer

Suggested articles