Zero-Day Vulnerability of WordPress Makes It Easy To Hijack Millions of Websites

12 May 2015

Singapore: WordPress is the most popular content management system used by millions of websites. This CMS is now vulnerable to two newly discovered threats which enable the attackers to take the complete control of the web server. The attack code has been released and this code targets one of the latest versions of WordPress making it a zero-day exploit which could touch a series of site hijackings  throughout the internet.

An attacker will be able to do whatever the admin can do!

Both the vulnerabilities are known as the persistent cross-site scripting bugs (XSS). These bugs allow an attacker to inject the code into the HTML content received by the administrators maintaining the website. The attacks work by embedding a malicious code into the comments section which appears at the bottom of any WordPress blog or article by default. From here, the attackers can add new administrators, change any passwords or can take any legitimate action that an admin can take.

Recently a researcher from a Finland based security firm wrote in his blog that if vulnerability is triggered by an admin who is logged in under default settings, the attacker can leverage it to execute arbitrary code on the server via plugins and theme editors. The attacker can also create new administrator accounts, change the administrator’s password or do whatever the logged-in administrator can do on the targeted system.

How an attacker exploits the vulnerability?

The attacker exploits this vulnerability by simply posting some JavaScript code as a comment and later by adding a huge amount of text (60,000 characters) or the text more than 64 kb worth. When this comment is processed by someone who has logged in as a WordPress administrator, the malicious code will be executed giving no clue that an attack is on its way.

WordPress doesn’t publish all the comments on a post by default until and unless the user has been approved by an administrator. But attackers can handle this very smartly that they post a cordial comment such that it has to be approved. Later on, the subsequent comments from that person will be approved by default and published on the same post.

This vulnerability is fixed with the release of WordPress 4.2!

This attack is kind of similar to the one which was disclosed recently by a researcher called Cedric Van Bockhaven. It was also an attack which embedded some malicious comments into the comment section. The above said vulnerability was fixed with the release of WordPress 4.2.

Recently few WordPress plugins were also updated to kill cross side scripting vulnerabilities. So once the patch is available, the admins should install it right away and in the meantime, they need to consider disabling the comments or installing the comment plugins like Akismet to minimize the exploits.

Fortune Softtech Singapore is an exalted WordPress development company where we follow a strategic and systematic approach to build websites. Our procedure includes thorough study of patrons’ requirements; we follow up with the identification of business goals of our clients and provide them an ideal solution. Do get in touch with us and make the best use of our web development services.

News Archive

  • WordPress Development in Singapore
  • Drupal Development in Singapore
  • Joomla Development in Singapore
  • eCommerce Magento Singapore
  • Web Development Singapore
  • Web Design Singapore
  • jQuery development Singapore
  • Zend framework development Singapore
  • Airline IBE GDS Integration Navitaire Singapore
  • Airline IBE GDS Integration Amadeus Singapore