The default WordPress Theme the presence of DOM XSS(cross-site scripting vulnerability affecting millions of users-vulnerability warning-the black bar safety net

ID MYHACK58:62201562123
Type myhack58
Reporter 佚名
Modified 2015-05-08T00:00:00


! The use of the Genericons package of WordPress plugin or theme are likely to be affected by a DOM-basedXSSvulnerability, because of WordPress default theme Twenty Fifteen 及 知名 插件 Jetpack 都 包含 了 存在 漏洞 的 页面 example.html that affect millions of users. Vulnerability causes Any use of the genericons package of WordPress plugin or theme will be this DOM based cross-site scripting vulnerability, as is usually the case genericons package contains a example. the html file and the file contains a DOM-basedXSSvulnerabilities. These affected plug-ins including JetPack plugin, it has more than 1 0 0 million active installs, while affected also installed by default TwentyFifteen theme. In this time of vulnerability of events, Automattic and the WordPress team left a simple example. the html file and the file contains a DOM-basedXSSvulnerabilities. ! Attack In order to use the DOM-basedXSSvulnerability, the attacker needs to induce victims to click on an exploit link. Unfortunately, however, the security threat has been ready for world-wide use this DOM-basedXSSvulnerabilities. Sucuri company published a blog post stating: “This attack interesting is that, in the vulnerability exposure of a few days ago we detected its presence. To this end, we also made one about the vulnerability report, some customers also get this report and claim that they are affected by this vulnerability, and will point to the following URL: http:// src=1 onerror= alert(1)> In this POC, theXSSto print a JavaScript alert, but you can use it in your browser, execute JavaScript script, if you have logged on as an administrator of the site, then use the vulnerability will be able to take down the entire site control.” Safety recommendations But the good news is that you can easily fix this DOM-basedXSSvulnerabilities, you'll need to remove the example. html file or a shield any for example. the html file access.