Millions of sites running the popular WordPress blogging platform are at risk from recently discovered zero-day vulnerabilities. These vulnerabilities were discovered by Finland-based security researcher Jouko Pynnönen, and could allow an attacker to execute JavaScript code in the website administrator’s browser window, and can further perform malicious tasks using administrator’s privileges. The attacker can even take control of the server. WordPress has released an update to WordPress, which they have called a “critical security release” that they urge all users to update to.
The vulnerabilities allow an attacker to launch a stored cross-site scripting (XSS) attack via comments, forums, discussions, etc. This type of XSS attack is the most dangerous type. The attack is carried out by adding HTML and JavaScript content along with 64kb of text to comments on a WordPress-hosted blog or site. This code is then stored in the WordPress database. When a website administrator accesses the portal to review the comment, the script is executed.
The malicious script then performs tasks like uploading a shell file (backdoor) to the server or adding other users with administrative privileges. The attacker is also able to access the server using the uploaded backdoor, or can login using the newly created user with administrative privileges. This all happens in the background, without the administrator’s knowledge or approval.
Recommendations and Trend Micro Solutions
We urge site administrators to upgrade their versions of WordPress to the latest version (4.2.1), which fixes these vulnerabilities. This can usually be easily done via the WordPress dashboard.
In addition, the following Trend Micro Deep Security XSS prevention rule covers these vulnerabilities. The rule is available out of the box in the product and prevents attacks from leveraging these vulnerabilities. It is also advised to check whether your server is still compromised after applying the rule.
- 1000552 – Generic Cross Site Scripting(XSS) Prevention
