Two very popular assets – the JetPack plug-in and the TwentyFifteen theme which is installed by default – have been found to be vulnerable, according to David Dede, writing on the Sucuri blog.
Dede says of this most recent vulnerability that millions of WordPress installs could be affected. “The main issue here is the genericons package, so any plugin that makes use of this package is potentially vulnerable if it includes the example.html file that comes with the package,” he wrote.
The exploit is a DOM-based cross-site scripting (XSS) vulnerability which Dede said is very easy to execute.
A DOM-based XSS attack creates an error within the user's browser through a URL injection into the client script that tricks the browser into returning data back into the user's browser. “That means the XSS payload is never sent to the server side and is executed directly at the browser,” Dede wrote, which means the server can't block it. “DOM-based XSS [attacks] are very tricky to block.”
The solution, he said, is to remove the test file – genericons/example.html – or use a website firewall.
However, he said that given the widespread use of WordPress, it was likely that despite publicity about the vulnerability, many installs would not be patched, leaving hackers with plenty of sites to attack.
He said that the cause of the vulnerability was a failure by the developer, Automattic, and the WordPress team to remove the example.html file. Automattic has released an update of genericons in which the file has been removed.
Commenting on the vulnerability, Ilia Kolochenko, CEO of High-Tech Bridge, told SCMagazineUK.com: "[It] looks like this XSS was very well hidden, as many security researchers and auditors would just skip an HTML file from the scope of their security testing.”
It's indicative of a growing sophistication in vulnerabilities and attack vectors. “It's a very interesting example of non-standard XSS (DOM-based in HTML documentation) in WordPress that confirms our predictions that ‘classical' vulnerabilities will be replaced by complicated ones that we haven't seen before,” he said.
He rated the danger level as high. “This vulnerability is particularly dangerous as the malicious XSS payload is supplied after the # character and therefore is not even received by the server that can block it with a WAF [firewall] for example. We strongly recommend all WordPress users to correct this vulnerability without delay."