Developers at Automattic, the parent company behind the blogging platform WordPress, fixed a nasty stored cross-site scripting error this week in Akismet, an anti-spam plugin that figures into millions of websites.
The bug was fixed Tuesday in an update, 3.1.5, according to Christopher Finke, an engineer at Automattic that works on Akismet.
> We've released a security update for Akismet for WordPress. Update now if your site hasn't already auto-updated. <https://t.co/AMKsHBjh5l> > > — Akismet (@akismet) October 13, 2015
Akismet filters spam from legitimate comments and trackbacks on WordPress sites. About to enter its 10th year, the service boasts three million users.
Researchers at Sucuri, who discovered the bug at the beginning of this month, described it as dangerous in a disclosure published on Wednesday. The vulnerability is actually exploitable via the comment section on sites running versions of the Akismet plugin after 2.5.0. The bug stems from an emoticon spam setting called “Convert emoticons like and 😛 to graphics on display.” If ticked off, which apparently is the case by default on all new WordPress setups, an attacker could inject malicious scripts into the comment section of the admin panel, Sucuri warns.
If they used the right code, an attacker could break certain title attributes, insert new parameters, and confuse the browser, tricking it to trigger a payload.
“Doing this could lead to multiple exploitation scenarios, including a full site compromise,” Marc-Alexandre Montpas, a researcher at Sucuri, wrote Wednesday.
WordPress points out that Akismet – even in older versions – was technically already blocking attempts during the comment-check API call and that as far as they know the vulnerability hasn’t been exploited in the wild yet.
Finke also pointed out that a team of WordPress.org plugin developers went ahead and pushed an automatic update for any sites running the vulnerable versions to auto update plugins earlier this week.
Those who haven’t already can either go to the Updates section of their WordPress dashboard and follow instructions there, or download the plugin’s zip file directly at the plugin directory, according to Finke.
This is actually the second stored XSS vulnerability in a major WordPress plugin to be addressed this month. Two weeks ago the company fixed an issue, also found by Sucuri, in Jetpack contact-form module, that was also turned on by default.