WordPress security issues have for the most part involved a vulnerable plug-in, but a Finnish researcher has disclosed some details on a zero-day vulnerability he discovered in the WordPress 4.2 and earlier core engine that could lead to remote code execution on the webserver.
Juoko Pynnonen of Klikki Oy reported a new and unpatched stored cross-site scripting vulnerability in the platform; a similar bug was patched this week by WordPress developers, but only 14 months after it was reported.
The vulnerability allows an attacker to inject JavaScript in the WordPress comment field; the comment has to be at least 66,000 characters long and it will be triggered when the comment is viewed, Pynnonen said.
“An unauthenticated attacker can store JavaScript on WordPress pages and blog posts. If triggered by an administrator, this leads to server-side code execution under default settings,” Pynnonen said. “A usable comment form is required. It looks like the script is not executed in the admin Dashboard, but only when viewing the post/page where the comment was entered. If comment moderation is enabled (the default setting) then the comment won’t appear on the page until it has been approved by an admin/moderator. Under default settings, after one ‘harmless’ comment is approved, the attacker is free from subsequent moderation and can inject the exploit to several pages and blog posts.”
Pynnonen said the best solution until a patch is made available is to disable comments and not approve any.
“Since these vulnerabilities affect default installations of WordPress, they naturally have a much wider reach, both on the public Internet and in internal, intranet installations,” said Rapid7 engineering manager Tod Beardsley. “In addition, the latest vulnerability remains unpatched by the vendor, so WordPress administrators should be spending their Monday morning evaluating if a plugin to mitigate the exposure is right for their site, or if comments should be disabled altogether until a patch is available.”
Earlier this week, a patch was released for WordPress 4.2 and 4.1.2 that addressed a vulnerability reported in early 2014 by researcher Cedric Van Bockhaven. Van Bockhaven’s bug required special characters included in a comment that would cause it to be truncated improperly and lead to code execution.
Pynnonen said he did not report his bug because of the 14 months it took WordPress developers to come up with code to detect invalid characters in comments.
“During this time all WordPress servers using default comment settings have been quite easily hackable,” he said. “Now it turns out they still didn’t get it right. It looks like the risk for WordPress users may be smaller and patches faster with full disclosure.”
Pynnonen said he has reported in November another vulnerability to WordPress that has yet to be patched, despite requesting updates directly, via the HackerOne bounty platform and through Finland’s CERT.
“Communication with WordPress developers has been difficult,” Pynnonen said. “They simply seem to ignore all inquiries. There has been no explanation as to why the bug is still not fixed. It was supposed to happen in November. All WordPress versions are still vulnerable.”