WordPress’s latest update, 4.0.1, patches a critical cross-site scripting vulnerability affecting comment boxes on websites running the content management system software.
Pynnonen said he and fellow researcher Klikki Oy, have developed a proof-of-concept exploit that can change passwords, add accounts or use the plug-in editor to write malicious PHP code to the server from the administrator’s console. It can also remove the injected script from the database.
“If the attacker writes new PHP code on the server via the plugin editor, another AJAX request can be used to execute it instantaneously, whereby the attacker gains operating system level access on the server,” Pynnonen said.
Cross-site scripting remains a persistent nuisance to website security. Using an XSS attack, a hacker could modify web forms and other HTML fields on a webpage in order to gain control. WordPress, for example, allows HTML tags in comments which exacerbated the issue in question.
“This is always a very dangerous undertaking,” cautioned Johannes Ullrich of the SANS Institute in an advisory. “The [WordPress] developers did attempt to implement the necessary safeguards. Only certain tags are allowed, and even for these tags, the code checked for unsafe attributes. Sadly, this check wasn’t done quite right. Remember that browsers will also parse somewhat malformed HTML just fine.”
Pynnonen said the vulnerability exists in version 3.0 to 3.9.2 and spans a four-year period. Version 4.0.1 does not use the same regular expression, eliminating the problem.
The update also addresses three other cross-site scripting vulnerabilities, a cross-side request forgery flaw, a denial-of-service bug related to password checks, server-side request forgery issues, and what WordPress called “an extremely unlikely hash collision” that could lead to account compromise. WordPress said it also invalidates links in a password reset email if the user remembers their password and logs in and changes their email address.
Meanwhile, researchers at Sucuri issued an advisory for another cross-site scripting vulnerability in the WP-Statistics WordPress plug-in. Researcher Marc-Alexandre Montpas said every website using version 8.3 or lower is vulnerable.
The plug-in was patched in version 8.3.1.
“An attacker can use Stored Cross Site Scripting (XSS) and Reflected XSS attack vectors to force a victim’s browser to perform administrative actions on its behalf,” Montpas said. “Leveraging this vulnerability, one could create new administrator account[s], insert SEO spam in legitimate blog posts, and a number of other actions within the WordPress’s admin panel.”
Montpas said Sucuri will release technical details in 30 days, giving users time to update the plug-in.