New Security Flaw Allows Attackers to Hijack WordPress Sites

If you’re a WordPress user, you’ll want to update your site with a critical security release. That’s because a new zero-day vulnerability, discovered by Jouko Pynnönen of the Finnish security firm Klikki Oy, allows attackers to gain administrative control of WordPress sites.

The exploit, known as a cross-site scripting (XSS) bug, involves leaving a long comment (over 64 kb) with malicious JavaScript that a logged-in administrator can trigger simply by viewing the comment. Bad things can then happen, according to Klikki Oy:

If triggered by a logged-in administrator, under default settings the attacker can leverage the vulnerability to execute arbitrary code on the server via the plugin and theme editors.

Alternatively the attacker could change the administrator’s password, create new administrator accounts, or do whatever else the currently logged-in administrator can do on the target system.

According to Klikki Oy, another security researcher, Cedric Van Bockhaven, reported a similar WordPress flaw in 2014, although it was only patched this week.

Matt Mullenweg, who is both the lead developer of WordPress and founder and CEO of its parent company Automattic, released the following official statement by email (no link):

It is a core issue, but the number of sites vulnerable is much smaller than you may think because the vast majority of WordPress-powered sites run [the anti-spam plugin] Akismet, which blocks this attack.

However, many WordPress-powered sites do not run Akismet, which now costs $5 to $9 a month for commercial sites and $50/month for enterprise sites. (Automattic did not immediately respond to request for the percentage of users who use the plugin).

[Update: Mullenweg stated in an April 28 email that the number of Akismet users is “more than it has ever been, and [we] can say it’s the vast majority of WP sites.”]

WordPress is pushing out the security patch via auto-update, so that will protect many users—at least those who have auto-update enabled—even if they don’t use Akismet.

Lead image by Sean MacEntee

The post New Security Flaw Allows Attackers to Hijack WordPress Sites appeared first on ReadWrite.

Related posts

Superfish: How To Get Unhooked From Lenovo’s Dangerous Adware

Tech Wide Africa

Google’s Gender-Diversity Push Is Paying Off

Tech Wide Africa

The Tricorder, An All-In-One Diagnostic Device, Draws Nigh

Tech Wide Africa

Leave a Comment