The WordPress content management system used by millions of websites is vulnerable to two newly discovered threats that allow attackers to take full control of the Web server. Jouko Pynnönen discovered the zero-day vulnerability in WordPress versions 4.2 and earlier, which allows an attacker to use stored or persistent, cross-site scripting (XSS) bugs to embed code into a WordPress comment field. From there, attackers can change passwords, add new administrators, or take just about any other action legitimate admins can perform.
In this new WordPress vulnerability, the malicious comment has to be at least 66,000 characters long and the script will be triggered when the comment is viewed, Pynnonen said.
What is “Zero-day” vulnerability?
Zero-day vulnerability refers to a hole in software that is unknown to the vendor. This security hole is then exploited by hackers before the vendor becomes aware and hurries to fix it—this exploit is called a zero-day attack. Uses of zero-day attacks can include infiltrating malware, spyware, or allowing unwanted access to user information. The term “zero-day” refers to the unknown nature of the hole to those other than the hackers, specifically, the developers. Once the vulnerability becomes known, a race begins for the developer, who must protect users.
Wide-reaching impact
“Since these vulnerabilities affect default installations of WordPress, they naturally have a much wider reach, both on the public Internet and in internal, intranet installations,” said Rapid7 engineering manager Tod Beardsley.
Critical update available
WordPress 4.2.1 is now available. This is a critical security release for all previous versions and WordPress strongly encourages users to update their sites immediately at the WordPress.org update page: https://wordpress.org/news/2015/04/wordpress-4-2-1/. If installing the update must be delayed, users are advised to restrict or disable commenting functions, and not approve existing comments until the update is completed.