Most of the time, we
have reported about WordPress vulnerabilities involving vulnerable plugins, but
this time a Finnish security researcher has discovered a critical
zero-day vulnerability in the core engine of the WordPress content
management system.
Yes, you heard it
right. The WordPress CMS used by Millions of website is vulnerable to a
zero-day flaw that could allow hackers to remote code execution on the Web
server in order to take full control of it.
The vulnerability,
found by Jouko Pynnönen of Finland-based security firm
Klikki Oy, is a Cross-Site Scripting (XSS) flaw buried
deep into the WordPress’ comments system.
The vulnerability
affects the WordPress versions 3.9.3, 4.1.1, 4.1.2, and the
latest WordPress version 4.2.
Pynnönen disclosed
the details of the zero-day flaw, along with a video and a
proof-of-concept code for an exploit of the bug, on his blog post on
Sunday before the WordPress team could manage to release a patch.
Why the researcher
made the 0-Day Public?
A similar
cross-site-scripting (XSS) vulnerability was patched this week by WordPress
developers, which was nearly 14 months after the bug was reported to the team.
Due to fear of delay
in fixing this hole, Pynnönen went public with the details of critical zero-day
vulnerability in WordPress 4.2 and below, so that the users of the popular
content management system could be warned beforehand.
Moreover, Pynnonen
reported the vulnerability to the WordPress team but they "refused all
communication attempts" he made since November 2014.
The exploitation of
the 0-Day vulnerability:
The vulnerability
allows a hacker to inject malicious JavaScript code into the
comments section that appears at the bottom of Millions of
WordPress blogs or article posts worldwide. However, this action should be
blocked under ordinary circumstances.
This could allow hackers
to change passwords, add new administrators, or take other actions that
could only be performed by the legitimate administrator of the website. This is
what we call a cross-site scripting attack.
Pynnonen described
the 0-day flaw as below:
"If triggered by
a logged-in administrator, under default settings the attacker can leverage the
vulnerability to execute arbitrary code on the server via the plugin and theme
editors," Pynnönen wrote in a blog post
published Sunday evening. "Alternatively the attacker could change the
administrator's password, create new administrator accounts, or do whatever
else the currently logged-in administrator can do on the target system."
How the 0-Day exploit
works?
The zero-day exploit
provided by the researcher works by posting a simple JavaScript code as a
comment and then adding as long as 66,000 characters or over 64 KB
in size.
When the comment is
processed by someone with WordPress admin rights to the website, the malicious
code will be executed without giving any indication to the admin.
By default, WordPress
does not automatically publish a user's comment to a post until and unless the
user has been approved by the administrator of the site.
Hackers can bypass
this limitation by fooling the administrator with their benign first comment,
which once approved would enable any further malicious comments from that
person to be automatically approved and published to the same post.
WordPress patches the
0-Day flaw:
In order to fix the
security hole, administrators should upgrade their CMS to Wordpress
4.2.1, which was released few hours ago.
"This is a
critical security release for all previous versions and we strongly encourage
you to update your sites immediately," the
WordPress team said of the latest version.
WordPress
version 4.2.1 reportedly fixes the zero-day vulnerability
reported by Pynnonen. So if you own a WordPress website, make sure that you run
an updated version of the CMS with all the plugins up-to-date.
No comments:
Post a Comment