Advertisement

Vulnerability Found in Latest Versions of WordPress, Patch Now Available

  • 175
    SHARES
  • 2.0K
    READS
Vulnerability Found in Latest Versions of WordPress, Patch Now Available
ADVERTISEMENT

A new comment XSS exploit vulnerability, being called “Zero Day”, has been found in the latest versions of WordPress: 4.2, 4.1.2, 4.1.1, and 3.9.3.

The Zero Day exploit allows an attacker to insert JavaScript into comments. An attacker could leverage this type of vulnerability to insert code into the website’s server through the plugin and theme editors.

In addition, through this exploit an attacker could also change the administrator’s password, create new administrator accounts, or do anything else that a logged-in admin would be able to do.

An attacker triggers this exploit by an posting excessively long comment exceeding the MySQL TEXT type size limit, which causes the comment to be truncated. As a result, the truncated comment results in malformed HTML being generated on the web page.

“The attacker can supply any attributes in the allowed HTML tags, in the same way as with the two recently published stored XSS vulnerabilities affecting the WordPress core.

In these two cases, the injected JavaScript apparently can’t be triggered in the administrative Dashboard so these exploits seem to require getting around comment moderation e.g. by posting one harmless comment first.”

The WordPress security team has released a patch that is now available to download, or to update through your WordPress dashboard. This is considered a critical security release for all previous versions, and an immediate update is strongly encouraged.

ADVERTISEMENT

Subscribe to SEJ

Get our daily newsletter from SEJ's Founder Loren Baker about the latest news in the industry!

Ebook

Matt Southern

Lead News Writer at Search Engine Journal

Matt Southern has been the lead news writer at Search Engine Journal since 2013. With a degree in communications, Matt ... [Read full bio]

ADVERTISEMENT
Advertisement
Read the Next Article
Read the Next