A new exploit in WordPress was disclosed today, revealing that an XSS attack can be made through comments on a WordPress blog.
There are examples of hackers attempting to exploit this in the wild, so the threat is definitely a significant one to webmasters who allow commenting through WordPress.
From the Sucuri Blog:
If your WordPress site allows users to post comments via the WordPress commenting system, you’re at risk. An attacker could leverage a bug in the way comments are stored in the site’s database to insert malicious scripts on your site, thus potentially allowing them to infect your visitors with malware, inject SEO spam or even insert backdoor in the site’s code if the code runs when in a logged-in administrator browser.
You should definitely disable comments on your site until a patch is made available or leverage a WAF to protect your site and customers.
Bottom line, you should disable comments immediately on all blogs until a patch has been released by WordPress. It isn’t known when it will be released but it has been reported they are aware and are working on a patch.
Akismet is reportedly catching these comments and flagging them as spam, however site owners will want to be very careful that the code in the comment isn’t activated accidentally.
If you need to disable comments, it can be easier said than done, since you can’t easily disable comments retroactively. Here is how to temporarily (or permanently) disable comments from both older posts and from new ones.
Usually, exploits this significant tend to be reported on after companies have the opportunity to patch the security issue in a timely manner, something we have seen happen multiple times recently. But in this case, there seems to be an issue between the discoverer of the exploit, Klikki and WordPress, as WordPress seemingly refused all communication with the company that discovered it. This appears to be the reason why the exploit was disclosed publicly before a patch was released.
WordPress has refused all communication attempts about our ongoing security vulnerability cases since November 2014. We have tried to reach them by email, via the national authority (CERT-FI), and via HackerOne. No answer of any kind has been received since November 20, 2014. According to our knowledge, their security response team have also refused to respond to the Finnish communications regulatory authority who has tried to coordinate resolving the issues we have reported, and to staff of HackerOne, which has tried to clarify the status our open bug tickets.
Klikki Oy also released a video of the attack in action.
So disable those comments to be safe and make sure you update your WordPress as soon as the patch becomes available.
Update 4/27/15 11:40 PST: WordPress has now released a patch. If you have auto-updates enabled it will update for you, although you can update manually immediately. Those who do not have auto-updates will need to do it manually.
Jennifer Slegg
Latest posts by Jennifer Slegg (see all)
- 2022 Update for Google Quality Rater Guidelines – Big YMYL Updates - August 1, 2022
- Google Quality Rater Guidelines: The Low Quality 2021 Update - October 19, 2021
- Rethinking Affiliate Sites With Google’s Product Review Update - April 23, 2021
- New Google Quality Rater Guidelines, Update Adds Emphasis on Needs Met - October 16, 2020
- Google Updates Experiment Statistics for Quality Raters - October 6, 2020