WordPress XSS flaw an example of growing sophistication

A flaw has been found in the genericons WordPress package that creates vulnerabilities in any plug-in or theme which uses it.

Cookies flaw lets hackers steal WordPress accounts
Cookies flaw lets hackers steal WordPress accounts

Two very popular assets – the JetPack plug-in and the TwentyFifteen theme which is installed by default – have been found to be vulnerable, according to David Dede, writing on the Sucuri blog.

This vulnerability follows the news that WordPress had to rush out a patch for another flaw recently. The previously revealed flaw could allow hackers to run malicious JavaScript stored in comment fields to be executed by the server hosting a website.

Dede says of this most recent vulnerability that millions of WordPress installs could be affected. “The main issue here is the genericons package, so any plugin that makes use of this package is potentially vulnerable if it includes the example.html file that comes with the package,” he wrote.

The exploit is a DOM-based cross-site scripting (XSS) vulnerability which Dede said is very easy to execute.

A DOM-based XSS attack creates an error within the user's browser through a URL injection into the client script that tricks the browser into returning data back into the user's browser. “That means the XSS payload is never sent to the server side and is executed directly at the browser,” Dede wrote, which means the server can't block it. “DOM-based XSS [attacks] are very tricky to block.”

The solution, he said, is to remove the test file – genericons/example.html – or use a website firewall.

However, he said that given the widespread use of WordPress, it was likely that despite publicity about the vulnerability, many installs would not be patched, leaving hackers with plenty of sites to attack.

He said that the cause of the vulnerability was a failure by the developer, Automattic, and the WordPress team to remove the example.html file. Automattic has released an update of genericons in which the file has been removed.

Commenting on the vulnerability, Ilia Kolochenko, CEO of High-Tech Bridge, told SCMagazineUK.com: "[It] looks like this XSS was very well hidden, as many security researchers and auditors would just skip an HTML file from the scope of their security testing.”

It's indicative of a growing sophistication in vulnerabilities and attack vectors. “It's a very interesting example of non-standard XSS (DOM-based in HTML documentation) in WordPress that confirms our predictions that ‘classical' vulnerabilities will be replaced by complicated ones that we haven't seen before,” he said.

He rated the danger level as high. “This vulnerability is particularly dangerous as the malicious XSS payload is supplied after the # character and therefore is not even received by the server that can block it with a WAF [firewall] for example. We strongly recommend all WordPress users to correct this vulnerability without delay."