(PC- google images) |
WordPress has issued a critical security update - WordPress Security Release 4.2.1, announced in an advisory by consultant Gary Pendergast, after millions of websites were at risk of a bug that allows attackers to take control of a system.
Pendergast read, “A few hours ago, the WordPress team was made aware of a cross-site scripting vulnerability which could enable commenter to compromise a site”. He added, "This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately. [It] has begun to roll out as an automatic background update, for sites that support those."
Discovered by Jouko Pynnönen of Finnish security company Klikki ; the critical, unpatched zero-day vulnerability, affecting WordPress’ comment mechanisms, is a stored cross-scripting (XSS) bug that allows a hacker to take over an entire website running the WordPress platform.
In a blog post, Klikki explained that if triggered by a logged-in administrator, under default settings, the attacker can leverage the vulnerability to execute arbitrary code on the server via the plug-in and theme editors. Alternately the attacker could change the administrator’s password, create new administrator accounts, or do whatever else the currently logged-in administrator can do on the target system.
The vulnerability is exploited by injecting JavaScript in the WordPress comment section, and then adding 64Kb of the text.
"If the comment text is long enough, it will be truncated when inserted in the database. The MySQL TEXT type size limit is 64kilobytes, so the comment has to be long”, Pynnönen said.
"The truncation results in malformed HTML generated on the page.The attacker can supply any attributes in the allowed HTML tags, in the same way as with the two recently published stored XSS vulnerabilities affecting the WordPress core”, added he.
WordPress versions 3.9.3, 4.1.1, 4.1.2, and the latest version 4.2 are affected.
Similar to the one reported by Cedric Van Bockhaven in 2014, the only difference in this version is the use of excessively long comment for the same effect. In both the cases, the injected JavaScript can’t be triggered in the administrative Dashboard so these exploits require getting around comment moderation e.g. by posting one harmless comment first.