WordPress Patches Critical XSS Vulnerability in All Builds

ID THREATPOST:0C6008808E4A2430B30594A3EB0F3EF8
Type threatpost
Reporter Chris Brook
Modified 2015-07-24T15:09:55


WordPress rolled out a new version of its content management system this morning that addresses a nasty cross-site scripting (XSS) vulnerability that could ultimately lead to site compromise.

According to Gary Pendergast, an engineer at Automattic, WordPress’ parent company, the XSS vulnerability could be exploited by any users marked ‘contributor’ or ‘author’. While specifics around the vulnerability weren’t published, WordPress warns it’d be possible for an attacker to exploit it to fully hijack a site. As all versions of the CMS are vulnerable, the company is strongly encouraging webmasters to update their sites to the most recent build (4.2.3) immediately.

The update also includes a slew of other fixes, including a bug found by researchers at the security firm Check Point that could’ve allowed ‘Subscribers’ to create blog posts via the CMS’ Quick Draft mechanism. The update also incorporates fixes for 20 bugs from version 4.2 of the platform.

Two other developers behind popular WordPress plugins announced this week that they addressed vulnerabilities in their products earlier this month. The bugs could have opened websites running the plugins to arbitrary code execution, the theft of sensitive information, and even total compromise.

Researchers with High-Tech Bridge, a Swiss security firm, discovered the issues, a collection of XSS and SQL vulnerabilities, and disclosed them on Wednesday.

The SQL injection bug existed in Count Per Day, a WordPress counter plugin that until very recently was available through WordPress.org’s Plugin directory. The issue, which stems from insufficient filtration of input data, could have let an attacker manipulate SQL queries, as well as inject and execute arbitrary SQL commands within the application’s database. High-Tech Bridge warns that if left unfixed the vulnerability could also let attackers gain control of sensitive information and compromise the entire website.

Tom Braider, the plugin’s developer, was quick to address the issue however and actually issued a fix the same day. While the latest version of the plugin, 3.4.1, was actually removed from WordPress’ plugin directory earlier this week – there was a minor licensing issue according to Braider – it’s still available for download on his personal website.

The second issue High-Tech Bridge found was identified in Paid Memberships Pro, a plugin that helps web developers provide restricted access to web pages. The plugin, which has been downloaded over 40,000 times, suffered from a series of XSS vulnerabilities. The bugs were tied to an input sanitization issue that could have let a remote attacker trick an administrator into opening a malicious link. From there the attacker could have “executed arbitrary HTML and script code in the browser in context of the vulnerable website,” according to High-Tech Bridge. The vulnerability existed in the PMPro settings pages of the plugin’s dashboard.

According to Jason Coleman, an administrator at Paid Memberships Pro, the issue was resolved in version of the plugin, which was pushed live on July 8.