WordPress Unpatched XSS Bug Discovered

Finnish researchers have warned that the WordPress online publishing platform has an unpatched vulnerability that could allow malicious code to be injected into website comments.

The bug, which affects WordPress versions 4.2 and earlier, allows malicious JavaScript to be injected into a comment field, with the code being activated when the comment is viewed in a user’s browser, according to security firm Klikki Oy. The malicious code triggers a cross-site scripting (XSS) attack, that can steal user data, the company said in an advisory.

“If triggered by a logged-in administrator, under default settings the attacker can leverage the vulnerability to execute arbitrary code on the server via the plugin and theme editors,” Klikki Oy said. “Alternatively the attacker could change the administrator’s password, create new administrator accounts, or do whatever else the currently logged-in administrator can do on the target system.”

The problem is caused by a defect in the way WordPress handles overly long comments – those more than 64KB in size. When such comments are automatically truncated, the result is malformed HTML whose attributes can be controlled by the user posting the comment.

In order to reach the requisite size, a comment would need to be more than 65,000 characters in length, researchers said.

A limiting factor is that to go live, the malicious comment must bypass WordPress’ comment moderation features, meaning the attacker would need, for instance, to first post a harmless comment, Klikki Oy said.

The company released proof-of-concept code and a video demonstrating the exploit.

WordPress said it is preparing a fix, but did not disclose when it might arrive. Researchers recommended disabling comments or using the Akismet plugin to secure websites until a fix appears.

Popular attack target

The bug is similar to one reported in 2014, and which was patched only last week, after 14 months, according to Klikki Oy. That bug used an invalid character to trigger the exploit.

Cross-site scripting attacks account for the vast majority of web-based exploits, according to Symantec, and WordPress is a favourite target due to its status as the most widely used web content publishing system, powering more than 60 million websites. The FBI earlier this month warned that political extremists are currently targeting WordPress sites.

Dozens of WordPress plugins have been updated in recent days in order to patch a widespread XSS vulnerability that resulted from programmers’ incorrect use of two commonly used programming functions that modify or add query strings to web addresses. The updates were part of a coordinated response to an advisory earlier this month that brought the issue to light.

Are you a security pro? Try our quiz!