A security researcher from Web security firm Sucuri recently discovered a cross-site scripting (XSS) vulnerability present in every default installation of WordPress, a popular content management system (CMS) used by millions of websites around the world. The vulnerability, which is part of the default WordPress Twenty Fifteen theme, is a DOM-based (Document Object Model) flaw. DOM is responsible for the rendering of images, text, links, and headers within a Web browser. The vulnerability is the result of an insecure file within the 'Genericons' package that allows the DOM environment of the victim's browser to be modified by hackers.
Rather than executing within the HTML portion of the browser, a DOM-based XSS attack executes its payload within the DOM environment. This means that the web page never changes - rather, the client side code contained on the page executes in a different manner as a result of malicious modifications made to the DOM environment. These vulnerabilities are much harder to detect than normal XSS attacks because the flaws are found within the script code from the web page.
What makes these DOM-based attacks so dangerous is that hackers can hijack a secure client-server session to carry out advanced phishing attacks.
Typically, these XSS attacks require that an administrator click on a malicious link while logging into a vulnerable installation of WordPress. Once the link has been clicked, hackers are able to gain full control of the vulnerable website. At the time of this writing, the vulnerability is only known to affect the default WordPress Twenty Fifteen theme and the JetPack plugin – a popular WordPress plugin that provides traffic, mobile content, and performance tools for webmasters that is currently in use by over one million websites worldwide.
This vulnerability has already been exploited in the wild but the exact number of WordPress installations affected by this vulnerability is still unknown. The JetPack plugin, for instance, comes pre-installed in millions of WordPress templates and the Twenty Fifteen theme is available to all WordPress users. Tens of millions of websites could be vulnerable to exploitation by this vulnerability. If the Genericons package is running on your WordPress installation, immediately delete the example.html file from this package or at the very least ensure the Web application firewall or intrusion detection system is blocking access to this file as this is where the vulnerability exists until your WordPress installation has been updated to the latest version.
WordPress has already released a patch to fix this vulnerability, but it remains the responsibility of the webmaster to update WordPress to this latest version (4.2.2) and protect the site from this dangerous exploit (only applicable if the Auto-update feature is disabled).
If you are a webmaster, ensure that the Auto-update feature is turned on to avoid the potential complications associated with this XSS attack and any future WordPress vulnerabilities that could compromise your website and ultimately, your online business reputation.