Another WordPress Vulnerability Discovered, Millions of Websites at Risk

A security researcher from Web security firm Sucuri recently discovered a cross-site scripting (XSS) vulnerability present in every default installation of WordPress, a popular content management system (CMS) used by millions of websites around the world. The vulnerability, which is part of the default WordPress Twenty Fifteen theme, is a DOM-based (Document Object Model) flaw. DOM is responsible for the rendering of images, text, links, and headers within a Web browser. The vulnerability is the result of an insecure file within the 'Genericons' package that allows the DOM environment of the victim's browser to be modified by hackers.

Rather than executing within the HTML portion of the browser, a DOM-based XSS attack executes its payload within the DOM environment. This means that the web page never changes - rather, the client side code contained on the page executes in a different manner as a result of malicious modifications made to the DOM environment. These vulnerabilities are much harder to detect than normal XSS attacks because the flaws are found within the script code from the web page.

What makes these DOM-based attacks so dangerous is that hackers can hijack a secure client-server session to carry out advanced phishing attacks.

Typically, these XSS attacks require that an administrator click on a malicious link while logging into a vulnerable installation of WordPress. Once the link has been clicked, hackers are able to gain full control of the vulnerable website. At the time of this writing, the vulnerability is only known to affect the default WordPress Twenty Fifteen theme and the JetPack plugin – a popular WordPress plugin that provides traffic, mobile content, and performance tools for webmasters that is currently in use by over one million websites worldwide.

another wordpress vulnerability discovered

This vulnerability has already been exploited in the wild but the exact number of WordPress installations affected by this vulnerability is still unknown. The JetPack plugin, for instance, comes pre-installed in millions of WordPress templates and the Twenty Fifteen theme is available to all WordPress users. Tens of millions of websites could be vulnerable to exploitation by this vulnerability. If the Genericons package is running on your WordPress installation, immediately delete the example.html file from this package or at the very least ensure the Web application firewall or intrusion detection system is blocking access to this file as this is where the vulnerability exists until your WordPress installation has been updated to the latest version.

WordPress has already released a patch to fix this vulnerability, but it remains the responsibility of the webmaster to update WordPress to this latest version (4.2.2) and protect the site from this dangerous exploit (only applicable if the Auto-update feature is disabled).

If you are a webmaster, ensure that the Auto-update feature is turned on to avoid the potential complications associated with this XSS attack and any future WordPress vulnerabilities that could compromise your website and ultimately, your online business reputation.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk logo

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal