WordPress: Bug Could Enable CompromiseVulnerability Has Been Around for 4 Years
WordPress says users of versions 3.9.2 and earlier of its website content management software need to patch a critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site.
Nearly 86 percent of all WordPress installations are vulnerable to the security flaw, which can be fixed by installing the latest version of the system, says security researcher Jouko Pynnonen of Finnish IT company Klikki Oy, who discovered the vulnerability and reported it to WordPress on Sept. 26. The flaw does not affect users of version 4.0 of the system, WordPress says.
WordPress has more than 75 million customers worldwide, according to its website. The company acknowledged the bug in a security release announcement on Nov. 20. Since reporting the vulnerability to WordPress, Pynnonen says he has been working with the company to solve the problem.
So far, there's no evidence that the flaw has been exploited by hackers, Pynnonen tells Information Security Media Group.
News of the flaw comes just weeks after attackers were targeting websites that ran the WordPress content management system to install malware on users' computers to intercept banking credentials (see: Hackers Grab 800,000 Banking Credentials).
Pynnonen, in a post outlining the flaw, says the bug was introduced in version 3, which was released in 2010.
The flaw can be abused by a cyber-attacker who enters carefully crafted comments containing program code on WordPress blog posts and pages, Pynnonen says. Under default WordPress settings, comments can be entered by anyone without authentication.
"Program code injected in comments would be inadvertently executed in the blog administrator's Web browser when they view the comment," Pynnonen says. "The rogue code could then perform administrative operations by covertly taking over the administrator account."
Those operations include creating a new administrator account, changing the current administrator password and executing attacker-supplied PHP code on the server. "This grants the attacker operating system level access on the server hosting WordPress," Pynnonen says.
WordPress did not immediately reply to a request for comment beyond its security announcement.
Cross-site scripting is a common Web application vulnerability, yet its potential consequences are underestimated, says Ilia Kolochenko, CEO of High-Tech Bridge, a penetration testing firm. "Almost nobody cares about XSS vulnerabilities, leaving their websites vulnerable," he says. "Obviously, hackers benefit from such negligence and use XSS vulnerabilities to achieve their goals."
Websites that use the WordPress system should upgrade to the latest 4.0.1 codebase to address the flaw, says David Kennedy, CEO of TrustedSec, an information security consulting service. Upgrading, however, may be challenging for websites that feature custom plugins that may not support the 4.0 release, he notes.
While the potential attack surface is much smaller than other bugs, such as Heartbleed and Shellshock, the WordPress flaw is still a very serious vulnerability because many content management systems reside on the WordPress platform, Kennedy says. "Updating is the most important aspect to maintaining site security," he says.
Remote code injection vulnerabilities are "extremely concerning" because they can immediately elevate permissions for the attacker to not only gain control of the WordPress application and content, but possibly the entire server, says JD Sherry, vice president of technology and solutions at Trend Micro.
To mitigate this bug and similar risks, administrators should enable automatic software updates. "This practice ensures you get the latest patches for critical vulnerabilities to help reduce your risk of compromise," Sherry says.
Organizations should also implement firewall and intrusion detection capabilities that protect against injection and scripting attacks, he says. "It is equally important to monitor the updates of third-party plugins that are utilized in your websites. These are most often the common attack vectors outside of the core WordPress code base."