Millions of WordPress sites open to attack

WordPress rushes out security update to fix flaw

WordPress and Drupal flaw hits 23% of world's websites
WordPress and Drupal flaw hits 23% of world's websites

WordPress has hurried to push out an update to fix a vulnerability that affects tens of milllions of sites using the popular CMS software.

The flaw could allow hackers to run malicious JavaScript stored in comment fields to be executed by the server hosting a website.

The cross-site scripting (XSS) vulnerability was discovered by Jouko Pynnönen, a researcher with Finnish IT company Klikki. It affects sites running version 4.2 or earlier. The problem is due to a defect in how WordPress handles exceptionally long comments, about 64Kb in size.

The zero day vulnerability could be injected into comment and when viewed by a site administrator, could then change passwords, create new users or anything else that would normally require admin rights. The flaw is a rare beast in that it affects the core part of the CMS rather than some badly-coded third-party plugin.

“If triggered by a logged-in administrator, under default settings the attacker can leverage the vulnerability to execute arbitrary code on the server via the plugin and theme editors,” said Pynnönen in a blog post.

In response, Automattic, the company behind the open source WordPress software, released version 4.2.1 to fix the flaw.

"This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately," said the firm in a statement.

This update comes just a week after WordPress released version 4.2 of the software that, among other things, fixed a similar vulnerability reported by security researcher Cedric Van Bockhaven. The researcher reported that flaw in February of last year, but only now has WordPress fixed the bug.

Pynnönen said he chose to go public over the flaw rather than report it to WordPress because of the time it took for it to response to Van Bockhaven's discovery. He also said that WordPress had “refused all communication attempts about our ongoing security vulnerability cases since November 2014. “

“We have tried to reach them by email, via the national authority (CERT-FI), and via HackerOne. No answer of any kind has been received since November 20, 2014,” he added.

Martin Lee, Intelligence manager at Alert Logic, told SCMagazineUK.com in an email that as criminals are adept at exploiting vulnerabilities in WordPress plugins, “a vulnerability in the core engine poses no barrier.”

“They will add the exploitation technique to their tool kits and seek to compromise as many websites as possible because that makes them more profit,” he said.

He added that installing a managed Web Application Firewall in front of websites can “detect and block attempts at exploiting websites even though the installed software may not be fully up to date.”

Harry Metcalfe, managing director of dxw, told SCMagazineUK.com that, assuming WordPress is kept up to date, “plugins remain a much more significant threat for most users, as their quality varies much more substantially.

“Over half of plugins we have examined over the years contain serious vulnerabilities, and this is backed up by the pentests we've carried out. It's almost always plugins that let down the sites we test, not the core," said Metcalfe.

Paco Hope, principal consultant at software security consultancy Cigital, told SCMagazineUK.com that organisations must “really be diligent about keeping it patched and up to date, and there's little excuse for falling behind, because WordPress updating is utterly painless for the vast majority of its users.

“There are also specialised WordPress security plugins like Bad Behaviour,  Akismet and WP Security Scan. The WordPress ecosystem is rich with tools to help, notices of updates, and easy installation of plug-ins, which means it is essentially negligence for a site administrator to fall very far behind for very long.”

Last week, a slew of XSS vulnerabilities were discovered in plugins used by websites to extend functionality of WordPress. These were because of the incorrect use of the ‘add_query_arg()' and ‘remove_query_arg()' functions, according to researchers at Sucuri.

IT security company High-Tech Bridge identified multiple high risk vulnerabilities in WordPress' TheCartPress eCommerce shopping cart plugin, which can be exploited to compromise customers' data, execute arbitrary PHP code, and perform Cross-Site Scripting attacks against users of WordPress installations.

The firm said TheCartPress was notified of these vulnerabilities on 8 April but, as of the time of going to press, there has been no response and the vulnerabilities still remain.