Critical XSS Flaw Affects WordPress 3.9.2 And Earlier

Use Netsparker


So it’s been a while since we’ve talked about any flaws in WordPress – because usually they are pretty dull and require such an obscure set of circumstances, that they are unlikely to ever occur in the wild.

The most recent time was this year actually, but was a DoS attack, which is not THAT damaging – XML Quadratic Blowup Attack Blows Up WordPress & Drupal.

Critical XSS Flaw Affects WordPress 3.9.2 And Earlier

But this, this time it’s different – this one is pretty seriously. Fortunately it’s not a vulnerability in the latest version of WordPress (4.0) but only affects those people still sticking to the latest version on the 3.x branch (3.9.2 or below).

New security updates released for the WordPress content management system and one of its popular plug-ins fix cross-site scripting (XSS) vulnerabilities that could allow attackers to take control of websites.

The WordPress development team released Thursday WordPress 4.0.1, 3.9.3, 3.8.5 and 3.7.5 as critical security updates. The 3.9.3, 3.8.5 and 3.7.5 updates address an XSS vulnerability in the comment boxes of WordPress posts and pages. An attacker could exploit this flaw to create comments with malicious JavaScript code embedded in them that would get executed by the browsers of users seeing those comments.

“In the most obvious scenario the attacker leaves a comment containing the JavaScript and some links in order to put the comment in the moderation queue,” said Jouko Pynnonen, the security researcher who found the flaw, in an advisory. “When a blog administrator goes to the Dashboard/Comments section to review new comments, the JavaScript gets executed. The script can then perform operations with administrator privileges.”

Such a rogue operation can be the creation of a second WordPress administrator account with an attacker-specified password. What makes things worse is that the flaw can typically be exploited without authentication, because the action of posting a comment on a WordPress blog does not require an account by default.


Still, if a blog is using 3.9.2 and has anonymous commenting enabled (which most do) then a malicious user could execute JavaScript as you (the admin) by utilising this exploit.

Obviously if you’ve gone the ‘cloud’ way and don’t allow ANY user input at all, and are using only Facebook Comments/Disqus/LiveFyre etc then you are safe.

The comment XSS vulnerability only affects WordPress 3.9.2 and earlier versions, not WordPress 4.0. However, the 4.0.1 update, as well as the 3.x ones, also address three other XSS flaws that can be used to compromise WordPress sites if the attacker has access to a contributor or author account on them.

The new releases also fix a cross-site request forgery flaw that could be used to trick a user into changing their password, as well as a denial-of-service issue.

Separately, the developers of WP-Statistics, a WordPress plug-in that gathers and displays visitor statistics, issued an update to fix a high-risk XSS flaw that’s similar to the ones fixed in the content management system itself.

“The plugin fails to properly sanitize some of the data it gathers for statistical purposes, which are controlled by the website’s visitors,” said Marc-Alexandre Montpas, a researcher at Web security firm Sucuri, in a blog post. “If an attacker decided to put malicious Javascript code in the affected parameter, it would be saved in the database and printed as-is in the administrative panel, forcing the victim’s browser to perform background tasks on its behalf.”

The Sucuri researchers were able to leverage the flaw to create a new admin account on a test site.

As a side note, there is also a similar vulnerability in the popular plug-in WP-Statistics, which also fails to sanitize data and falls foul to the same kind of XSS (which allows addition of an admin account by the malicious user).

There’s an update available for the plugin, so if you’re usint it – get it updated! And of course update WordPress core as well, if your auto-updates failed.

Source: Network World

Posted in: Exploits/Vulnerabilities, Web Hacking

, , ,


Latest Posts:


Intercepter-NG - Android App For Hacking Intercepter-NG – Android App For Hacking
Intercepter-NG is a multi functional network toolkit including an Android app for hacking, the main purpose is to recover interesting data from the network stream and perform different kinds of MiTM attacks.
dcipher - Online Hash Cracking Using Rainbow & Lookup Tables dcipher – Online Hash Cracking Using Rainbow & Lookup Tables
dcipher is a JavaScript-based online hash cracking tool to decipher hashes using online rainbow & lookup table attack services.
HTTP Security Considerations - An Introduction To HTTP Basics HTTP Security Considerations – An Introduction To HTTP Basics
HTTP is ubiquitous now with pretty much everything being powered by an API, a web application or some kind of cloud-based HTTP driven infrastructure. With that HTTP Security becomes paramount and to secure HTTP you have to understand it.
Cangibrina - Admin Dashboard Finder Tool Cangibrina – Admin Dashboard Finder Tool
Cangibrina is a Python-based multi platform admin dashboard finder tool which aims to obtain the location of website dashboards by using brute-force, wordlists etc.
Enumall - Subdomain Discovery Using Recon-ng & AltDNS Enumall – Subdomain Discovery Using Recon-ng & AltDNS
Enumall is a Python-based tool that helps you do subdomain discovery using only one command by combining the abilities of Recon-ng and AltDNS.
RidRelay - SMB Relay Attack For Username Enumeration RidRelay – SMB Relay Attack For Username Enumeration
RidRelay is a Python-based tool to enumerate usernames on a domain where you have no credentials by using a SMB Relay Attack with low privileges.


One Response to Critical XSS Flaw Affects WordPress 3.9.2 And Earlier

  1. Alan November 24, 2014 at 11:34 pm #

    This is my most favorite blog, when it comes to Internet security. The news about XSS affecting wordpress, simply mind blowing.