Try for Free
  1. SEJ
  2.  » 
  3. SEO

Millions of WordPress Websites Affected By Plugin Vulnerability

Millions of WordPress Websites Affected By Plugin Vulnerability

Web security firm Sucuri has reported on the discovery of a WordPress plugin vulnerability affecting any site that uses the genericons package.

At this time, the JetPack plugin (installed on over 1 million sites) and the TwentyFifteen theme (installed by default) have been identified as vulnerable. Apparently, any plugin is potentially vulnerable if it includes the example.html file that comes with the genericons package.

That being said, the simple fix to protect yourself from this vulnerability is to remove the example.html file from the genericons package, which is unnecessary to begin with.

Sucuri managed to detect this vulnerability before it was disclosed, which means it has had literally zero days in the wild. Due to the quick response time, this vulnerability is said to have low severity, but Sucuri warns that it’s easy to exploit.

Continue Reading Below

If you’re interested in the more technical details of this vulnerability, it’s described to work as follows:

“DOM-Based XSS is an XSS attack wherein the attack payload is executed as a result of modifying the Document Object Model (DOM) “environment” in the victim’s browser used by the original client side script, so that the client side code runs in an “unexpected” manner. That is, the page itself (the HTTP response that is) does not change, but the client side code contained in the page executes differently due to the malicious modifications that have occurred in the DOM environment.”

Continue Reading Below

Sucuri had the foresight to reach out to web hosts to have them virtually patch the vulnerability. The following hosts are confirmed to have rolled out the virtual patch:

  • GoDaddy
  • HostPapa
  • DreamHost
  • ClickHost
  • Inmotion
  • WPEngine
  • Pagely
  • Pressable
  • Websynthesis
  • Site5
  • SiteGround

If your website is hosted with one of the above companies, you’re protected. If your site is hosted with a different company it’s up to you to manually fix the issue. Sucuri highly recommends removing the example.html from inside the genericons directory.


Subscribe to SEJ

Get our daily newsletter from SEJ's Founder Loren Baker about the latest news in the industry!

Topic(s) of Interest*
By clicking the "SUBSCRIBE" button, I agree and accept the privacy policy of Search Engine Journal.

Matt Southern

Lead News Writer at Search Engine Journal

Matt Southern has been the lead news writer at Search Engine Journal since 2013. With a degree in communications, Matt ... [Read full bio]

Read the Next Article
Read the Next