WordPress security issues have for the most part involved a vulnerable plug-in, but a Finnish researcher has disclosed some details on a zero-day vulnerability he discovered in the WordPress 4.2 and earlier core engine that could lead to remote code execution on the webserver.
Juoko Pynnonen of Klikki Oy reported a new and unpatched stored cross-site scripting vulnerability in the platform; a similar bug was patched this week by WordPress developers, but only 14 months after it was reported.
Pynnonen said the best solution until a patch is made available is to disable comments and not approve any.
“Since these vulnerabilities affect default installations of WordPress, they naturally have a much wider reach, both on the public Internet and in internal, intranet installations,” said Rapid7 engineering manager Tod Beardsley. “In addition, the latest vulnerability remains unpatched by the vendor, so WordPress administrators should be spending their Monday morning evaluating if a plugin to mitigate the exposure is right for their site, or if comments should be disabled altogether until a patch is available.”
Earlier this week, a patch was released for WordPress 4.2 and 4.1.2 that addressed a vulnerability reported in early 2014 by researcher Cedric Van Bockhaven. Van Bockhaven’s bug required special characters included in a comment that would cause it to be truncated improperly and lead to code execution.
Pynnonen said he did not report his bug because of the 14 months it took WordPress developers to come up with code to detect invalid characters in comments.
“During this time all WordPress servers using default comment settings have been quite easily hackable,” he said. “Now it turns out they still didn’t get it right. It looks like the risk for WordPress users may be smaller and patches faster with full disclosure.”
Pynnonen said he has reported in November another vulnerability to WordPress that has yet to be patched, despite requesting updates directly, via the HackerOne bounty platform and through Finland’s CERT.
“Communication with WordPress developers has been difficult,” Pynnonen said. “They simply seem to ignore all inquiries. There has been no explanation as to why the bug is still not fixed. It was supposed to happen in November. All WordPress versions are still vulnerable.”