Researchers have found a string of weaknesses in the WordPress default installation page, including PHP code execution and a persistent cross-site scripting flaw, affecting versions 3.3.1 and later. WordPress officials say that they’re not planning to fix the vulnerabilities as there’s only a small possibility of exploitation by attackers.
The flaws were found by researchers at TrustWave’s SpiderLabs, and in their advisory on the WordPress bugs, they describe how attackers would be able to exploit them. In the advisory, the researchers also include code that can be used to demonstrate the problems. Executing attacks on the vulnerabilities does require some specific conditions to be present.
“The WordPress ‘setup-config.php’ installation page allows users to install WordPress in local or remote MySQL databases. This typically requires a user to have valid MySQL credentials to complete. However, a malicious user can host their own MySQL database server and can successfully complete the WordPress installation without having valid credentials on the target system. After the successful installation of WordPress, a malicious user can inject malicious PHP code via the WordPress Themes editor. In addition, with control of the database store, malicious Javascript can be injected into the content of WordPress yielding persistent Cross Site Scripting,” the advisory says in describing the XSS and PHP code execution bugs.
There also are other XSS vulnerabilities in the setup page for WordPress installations.
“The WordPress ‘setup-config.php’ installation page allows users to install WordPress in local or remote MySQL databases. When using this installation page the user is asked to supply the database name, the server that the database resides on, and a valid MySQL username and password. During this process, malicious users can supply javascript within the “dbname”, “dbhost” or “uname” parameters. Upon clicking the submission button, the javascript is rendered in the client’s browser,” the advisory says.
Officials from WordPress said that there is little risk of exploitation, so they will not be publishing patches for the vulnerabilities.
“We give priority to a better user experience at the install process. It is unlikely a user would go to the trouble of installing a copy of WordPress and then not finishing the setup process more-or-less immediately. The window of opportunity for exploiting such a vulnerability is very small,” WordPress officials said in response to the disclosures.