The WordPress platform is yet again under attack, thanks to vulnerabilities across old and new versions of the content management system.
The most pressing issue is a fresh zero-day, a previously unknown and unpatched weakness, affecting the latest version of WordPress, 4.2, and prior iterations, as revealed by Finnish company Klikki Oy yesterday. It released a video and proof of concept code for an exploit of the flaw, which allows a hacker to store malicious JavaScript code on WordPress site comments. Under normal circumstances, this should be blocked as it could be abused to send visitors’ usernames and passwords to a hacker's site - what’s known as a cross-site scripting attack. All that’s required is for a user’s browser to parse the code when they land on the affected site.
If a logged-in administrator visits the affected page, the hacker could acquire access to the server, Klikki Oy warned. “Alternatively the attacker could change the administrator’s password, create new administrator accounts, or do whatever else the currently logged-in administrator can do on the target system.” For website admins, the advice for now is to disable comments until a fix is released.
Ryan Dewhurst, security researcher and owner of the WordPress vulnerability database WPScan, told FORBES he'd tested the attack code and it worked. His own proof of concept hack can be found on Github. He noted the attack requires the hacker to have a previously approved comment on the target site so the comment containing the exploit does not need approving.
To inject a malicious JavaScript script via this zero-day, the hacker has to make their comment sufficiently long enough so the data chunk received by the MySQL database for the site is equal to 64KB. This causes an error allowing for the rogue code to be placed in the comments. Exactly 65,535 'A' characters would do the trick, Dewhurst said.
Gary Pendergast, from the WordPress team, said a fix was on the way, but there was no timeline. He recommended using the Akismet plugin that should help block attacks.
Just last week, WordPress 4.1.2 was updated due to a number of vulnerabilities, including a remarkably similar cross-site scripting issue reported by researcher Cedric Van Bockhaven that was open to attack for at least 14 months. Users have been advised to update, though with the fresh zero-day they will likely remain unprotected upon upgrading.
CloudFlare, the content delivery network that sees roughly five per cent of the web’s traffic going through its servers, said on Friday it had seen malicious emails sent out by hackers trying to point people to a compromised WordPress site hosted by Bluehost. It appeared they were abusing one of the critical flaws in older versions of the CMS, most likely the cross-site scripting weakness in 4.1.1 and below.
Given WordPress sites have been beleaguered by attacks throughout recent years, as should be expected when roughly 20 percent of the web runs on the platform, users should take all precautions necessary.
UPDATE: WordPress has now fixed the flaw with the release of 4.2.1. Time to get patching.
