WordPress Sites Hit by Critical Cross-Site Scripting Bug

Posted by at 11:23 am on November 24, 2014

Wordpress LogoVersions of WordPress 3.0 up to 3.9.2 were discovered to contain a security vulnerability through the comment features on the site, making a large number of installs and servers vulnerable to attack. The bug was discovered by Jouko Pynnonen of the Finnish IT company Klikki Oy, indicating that the bug went unchecked for more than four years since it was introduced with version 3.0 in June 2010.

The bug allows the injection of JavaScript into the comment areas on the blogging and content management platform, including those found on blog roll posts and pages. The comments can be left on sites that don’t require authentication (login) to post, a feature that is active on WordPress installs by default. Injected JavaScript code in the comment then executes when the page is viewed, mostly targeting system administrators who view the contents through the dashboard. Under some settings the attacks could be crafted to target visitors.

In a proof of concept, the Finnish IT company was able to perform actions with administrator privledges once the code was executed, such as cleaning the code from the database, changing passwords, adding new administrator-level accounts, or writing supplied PHP code to a server through the plug-in editor. In the case of writing code to the server, an AJAX request can be used to gain operating system level access. It’s noted that viewing the comments in the dashboard root view likely won’t trigger the execution since administrators only see a 20 word snippet.

Klikki Oy reported the vulnerability to WordPress on September 26, with WordPress forcing updates for some older versions on November 20. WordPress launched automatic updates to upgrade 3.9.2 to 3.9.3, 3.8.4 to 3.8.5 and 3.7.4 to 3.7.5 to address the issue. Klikki Oy and WordPress worked together to solve the exploit after it was reported.

Klikki Oy reports that vulnerable versions of WordPress made up 90 percent of all installs as of the date the company was informed of the problem. When the IT company and WordPress reported on the issue on November 20, 86 percent of the total install base was vulnerable. As of the time of this article, up to 84.9 percent of all WordPress sites contain the vulnerability. That number could reduce by up to 31.6 percent based on the automatic updates pushed for versions 3.7 to 3.9. However, that doesn’t mean that every site can be exploited due to the settings required to inject the code.


or those WordPress users with an install of 4.0 or 4.0.1, the vulnerability can no longer be exploited since the way that the systems handles expression is different. WordPress urges users to update to the newest 4.0 version since support for older versions is no longer offered. Klikki Oy created a plug-in to fix the vulnerability for those that cannot update their WordPress installs.

As is the case with most pieces of software, the newest WordPress version isn’t free of security issues either as indicated by the recent critical update to 4.0.1. WordPress strongly encourages users to make the upgrade to 4.0.1, as eight bugs relating to cross-site scripting issues, account seizures, forgery attacks and other compromising situations are repaired.

Leave a Reply

Sign Up For Our Newsletter

Sign up to receive breaking news
as well as receive other site updates

Enter your Email

Preview | Powered by FeedBlitz

Log in

Copyright © 2008 - 2024 · StreetCorner Media , LLC· All Rights Reserved ·