Swati KhandelwalTHN:A029D3C1302FC55D806F6B23D4A37B4FWordPress Vulnerability Puts Millions of Websites At Risk
0.006 Low
EPSS
Percentile
76.5%
Millions of WordPress websites are at risks of being completely hijacked by the hackers due to a critical _cross-site scripting (XSS) vulnerability _present in the default installation of the widely used content management system.
The cross-site scripting (XSS) vulnerability, uncovered by the security researcher reported by_ Robert Abela _of Security firm Netsparker.
Wordpress vulnerability resides in Genericons webfont package that is part of default WordPress Twenty Fifteen Theme.
Here comes the threat:
The XSS vulnerability has been identified as a βDOM-based,β which means the flaw resides in the**_document object model (DOM) _**that is responsible for text, images, headers, and links representation in a web browser.
The easy-to-exploit DOM-based Cross-Site Scripting (XSS) vulnerability occurred due to an insecure file included with Genericons that allowed the Document Object Model Environment in the victimβs browser to be modified.
Whatβs DOM-Based XSS attack?
In DOM-Based Cross-Site Scripting attack, the payload executes in the _DOM (Document Object Model) _instead of part of the HTML in the victimβs browser,
This means the page itself does not change, but the client side code contained in the page executes in a different manner due to the malicious modifications in the DOM environment.
DOM-based Cross-Site Scripting vulnerabilities are much harder to detect than classic XSS flaws because they reside in the script code from the website.
DOM-based XSS vulnerability allows hackers to steal or hijack your session, carry out very advanced phishing attacks.
The vulnerability is actively being exploited in the wild and so far, the researcher has discovered JetPack plugin andTwenty Fifteen theme to be vulnerable to a DOM-based XSS attack. Apparently, any WordPress plugin that comes with the Genericons package is potentially vulnerable to the attack.
JetPack is a popular WordPress plugin with more than 1 Million download. The plugin is bundled with many useful features including customization, traffic, mobile, content, and performance tools, which makes managing a WordPress site a whole lot easier.
How to hijack a WordPress website?
Generally, a DOM-based XSS attack requires an administrator to click on a malicious link while logging into a vulnerable WordPress installation and once clicked, the hackers can gain full control of the vulnerable website.
Security Firm Sucuriβs researcher David Dede explains:
> βWhat is interesting about this attack is that we detected it in the wild days before disclosure. We got a report about it and some of our clients were also getting reports saying they were vulnerable and pointing to:
> _
_http:// site.com/wp-content/themes/twentyfifteen/genericons/example.html#1<img/ src=1 onerror= alert(1)>
> _
__In this proof of concept, the XSS printed a javascript alert, but could be used to execute javascript in your browser and take over the site if you are logged in as admin._β
It is not clear exactly how many websites are vulnerable to the attack, but JetPack plugin comes installed by default in millions of WordPress templates, making the count even larger.
Measure to protect your WordPress website:
Administrators of WordPress sites should check if their site is running the Genericons package.
In case it is running, they should either immediately delete the_** example.html file**_ that is included with the package, or at least, make sure that their web application firewall or intrusion detection system is blocking access to it.
Sucuri has contacted and informed almost a dozen Web hosts who have already virtually patched the vulnerability on their websites they host.
The hosts include GoDaddy, ClickHost, Inmotion, HostPapa, DreamHost, WPEngine, Pagely, Pressable, SiteGround, Websynthesis, and Site5.
UPDATE - WORDPRESS INSTALL
WordPress released WordPress 4.2.2 update few hours ago, resolving the above issues with Genericons icon font package as well as patching the critical cross-site scripting (XSS) vulnerability, which could enable hackers to compromise the websites.
Administrators are strongly recommended to immediately update their sites to WordPress 4.2.2.
WordPress allows security patches to get rolled out to users automatically. But administrators with βDisabled Auto-updateβ feature are strongly recommended to upgrade their sites as soon as possible.
Related
