WordPress is in trouble once again, addressing a severe flaw in their latest WordPress 4.2.2 update that patches yet another Cross-Site Scripting (XSS) flaw in several WordPress themes and plugins. The mandatory update was pushed early Wednesday, following the public disclosure of the vulnerability.
A swath of WordPress plugins and themes that use the genericons package are vulnerable to a DOM-based XSS vulnerability due to an insecure file included within the package. Affected plugins include Jetpack, while affected themes include TwentyFifteen, the default theme installed on all WordPress blogs. Exact numbers of vulnerable websites may be impossible to grasp, but both the plugin and theme are installed across millions of WordPress sites around the world, including some of the worlds leading blogs.
Any plugin or theme making use of the genericon package is vulnerable if it includes the example.html file that comes prepackaged with the install.
Sucicri security firm said the DOM-based vulnerability is simple to exploit and occurs at the Document Object Model (DOM) level. For those not familiar with DOM attacks, the OWASP security community explains it well:
“DOM-Based XSS is an XSS attack wherein the attack payload is executed as a result of modifying the Document Object Model (DOM) ‘environment’ in the victim’s browser used by the original client side script, so that the client side code runs in an ‘unexpected’ manner. That is, the page itself (the HTTP response that is) does not change, but the client side code contained in the page executes differently due to the malicious modifications that have occurred in the DOM environment.”
In short, this means the XSS payload never reaches the server and the payload executes directly in the browser. Meaning sites using Web Application Firewalls (WAF) or a set of protocols to defend against attacks can still be easily infected.
DOM-based XSS attacks are not commonly targeted by hackers due to the level of work needed to exploit the victim. For a DOM attack to work, one must get a victim to click a specially crafted link.
What’s particularly striking about this story is many WordPress websites were exploited in the wild days prior to the WordPress 4.2.2 disclosure.
Fortunately there is an easy fix. Remove any genericons/example.html files from your server or set specific rules to block access to them. However, WordPress has released a mandatory security patch that will do this for you. Go to Dashboard > Updates and click Update to WordPress 4.2.2.
The following hosts have already patched the genericons XSS vulnerability for all WordPress sites hosted on them:
This critical flaw was accidentally left in the test file from Automattic, the company who owns and operates WordPress along with their plugins and themes.
What’s particularly concerning is the scope of the vulnerability, seeing as the theme comes pre-installed and Jetpack is one of the highest rated plugins of all time. Some WordPress installs even come pre-packaged with Jetpack.
WordPress is no stranger to XSS attacks. In less than two weeks, WordPress has issued three individual core patches addressing severe XSS vulnerabilities, one so severe a single comment could hijack your WordPress website.
Is you own or operate a WordPress blog, we strongly recommend you upgrade to the latest WordPress 4.2.2. The update only patches the addressed vulnerabilities and should not impact any custom code within your WordPress plugins or themes.