On November 20, WordPress announced a critical cross-site scripting vulnerability in the Internet’s most popular and widely used content management system. Initially discovered by Jouko Pynnonen with the Finnish IT company Klikki Oy, the vulnerability could allow anonymous users to compromise websites running versions of WordPress prior to 3.9.3.
This is an extremely serious vulnerability by virtue of the fact that it impacts millions of websites across the Internet and could allow an anonymous user to gain complete administrative control of these websites and potentially the underlying operating system. According to WordPress statistics, about 86 percent of all WordPress sites were using a vulnerable version as of November 20, 2014. Exploited sites could then be used to attack other users, or if the operating system is compromised, the machine could be used as part of a botnet. Reports indicate that this vulnerability is being actively exploited and that exploit code has been made available on the Internet for others to use and modify.
Technical Details
The primary attack vector for this vulnerability is by adding malicious JavaScript to certain text fields, specifically comment boxes contained on WordPress posts and blogs. The malicious JavaScript is then triggered when a user views the comment whether via a blog post, page, or in the "Comment" section of the administrative dashboard. The JavaScript runs with the same privileges as the user that triggered it. As such, the most impactful scenario is when the comment is viewed by the site administrator.
The vulnerability is introduced via a text formatting function called wptexturize(). This function is enabled by default and is used by WordPress to modify posted text or comments to present a more readable and visually appealing output. The texturization process can be subverted, however, by adding a specially crafted mix of squares and angles to the comment.
Are You Vulnerable?
So how do you know if you’ve been impacted by this vulnerability? The WordPress version of your site should be prominently displayed in the administrative section either in the header or footer, depending on the version. You can also find the version by going to the "At a Glance" pane within the dashboard. If those don’t work, the version is contained in the readme.html file.
You may also want to consider using a scanning tool such as Qualys FreeScan, which can give you a quick snapshot of your security and compliance posture along with recommendations for effective fixes. Ultimately, it’s important to see if your site has been compromised and then update your sites immediately to lessen the potential impact of this vulnerability.
For more details on the vulnerability and mitigation steps see the official WordPress release at [https:].
Image Credit: Brian A Jackson / Shutterstock
As the CISO for Qualys, Jonathan is responsible for working with Qualys’ growing customer base to develop and share security best practices, researching real world threats and collaborating on how to address them. Before joining Qualys, Jonathan was the CISO for the State of Colorado, where he oversaw the information security operations for 17 executive branch departments, encompassing approximately 26,000 employees and 150,000 systems.