Critical XSS Flaw Affects WordPress 3.9.2 And Earlier

The New Acunetix V12 Engine


So it’s been a while since we’ve talked about any flaws in WordPress – because usually they are pretty dull and require such an obscure set of circumstances, that they are unlikely to ever occur in the wild.

The most recent time was this year actually, but was a DoS attack, which is not THAT damaging – XML Quadratic Blowup Attack Blows Up WordPress & Drupal.

Critical XSS Flaw Affects WordPress 3.9.2 And Earlier

But this, this time it’s different – this one is pretty seriously. Fortunately it’s not a vulnerability in the latest version of WordPress (4.0) but only affects those people still sticking to the latest version on the 3.x branch (3.9.2 or below).

New security updates released for the WordPress content management system and one of its popular plug-ins fix cross-site scripting (XSS) vulnerabilities that could allow attackers to take control of websites.

The WordPress development team released Thursday WordPress 4.0.1, 3.9.3, 3.8.5 and 3.7.5 as critical security updates. The 3.9.3, 3.8.5 and 3.7.5 updates address an XSS vulnerability in the comment boxes of WordPress posts and pages. An attacker could exploit this flaw to create comments with malicious JavaScript code embedded in them that would get executed by the browsers of users seeing those comments.

“In the most obvious scenario the attacker leaves a comment containing the JavaScript and some links in order to put the comment in the moderation queue,” said Jouko Pynnonen, the security researcher who found the flaw, in an advisory. “When a blog administrator goes to the Dashboard/Comments section to review new comments, the JavaScript gets executed. The script can then perform operations with administrator privileges.”

Such a rogue operation can be the creation of a second WordPress administrator account with an attacker-specified password. What makes things worse is that the flaw can typically be exploited without authentication, because the action of posting a comment on a WordPress blog does not require an account by default.


Still, if a blog is using 3.9.2 and has anonymous commenting enabled (which most do) then a malicious user could execute JavaScript as you (the admin) by utilising this exploit.

Obviously if you’ve gone the ‘cloud’ way and don’t allow ANY user input at all, and are using only Facebook Comments/Disqus/LiveFyre etc then you are safe.

The comment XSS vulnerability only affects WordPress 3.9.2 and earlier versions, not WordPress 4.0. However, the 4.0.1 update, as well as the 3.x ones, also address three other XSS flaws that can be used to compromise WordPress sites if the attacker has access to a contributor or author account on them.

The new releases also fix a cross-site request forgery flaw that could be used to trick a user into changing their password, as well as a denial-of-service issue.

Separately, the developers of WP-Statistics, a WordPress plug-in that gathers and displays visitor statistics, issued an update to fix a high-risk XSS flaw that’s similar to the ones fixed in the content management system itself.

“The plugin fails to properly sanitize some of the data it gathers for statistical purposes, which are controlled by the website’s visitors,” said Marc-Alexandre Montpas, a researcher at Web security firm Sucuri, in a blog post. “If an attacker decided to put malicious Javascript code in the affected parameter, it would be saved in the database and printed as-is in the administrative panel, forcing the victim’s browser to perform background tasks on its behalf.”

The Sucuri researchers were able to leverage the flaw to create a new admin account on a test site.

As a side note, there is also a similar vulnerability in the popular plug-in WP-Statistics, which also fails to sanitize data and falls foul to the same kind of XSS (which allows addition of an admin account by the malicious user).

There’s an update available for the plugin, so if you’re usint it – get it updated! And of course update WordPress core as well, if your auto-updates failed.

Source: Network World

Posted in: Exploits/Vulnerabilities, Web Hacking

, , ,


Latest Posts:


Eraser - Windows Secure Erase Hard Drive Wiper Eraser – Windows Secure Erase Hard Drive Wiper
Eraser is a hard drive wiper for Windows which allows you to run a secure erase and completely remove sensitive data from your hard drive by overwriting it several times with carefully selected patterns.
Insecure software versions are a problem Web Security Stats Show XSS & Outdated Software Are Major Problems
Netsparker just published some anonymized Web Security Stats about the security vulnerabilities their online solution identified on their users’ web applications and web services during the last 3 years.
CTFR - Abuse Certificate Transparency Logs For HTTPS Subdomains CTFR – Abuse Certificate Transparency Logs For HTTPS Subdomains
CTFR is a Python-based tool to Abuse Certificate Transparency Logs to get subdomains from a HTTPS website in a few seconds.
testssl.sh - Test SSL Security Including Ciphers, Protocols & Detect Flaws testssl.sh – Test SSL Security Including Ciphers, Protocols & Detect Flaws
testssl.sh is a free command line tool to test SSL security, it checks a server's service on any port for the support of TLS/SSL ciphers, protocols as well as recent cryptographic flaws and more.
Four Year Old libSSH Bug Leaves Servers Wide Open Four Year Old libssh Bug Leaves Servers Wide Open
A fairly serious 4-year old libssh bug has left servers vulnerable to remote compromise, fortunately, the attack surface isn't that big as neither OpenSSH or the GitHub implementation are affected.
CHIPSEC - Platform Security Assessment Framework CHIPSEC – Platform Security Assessment Framework For Firmware Hacking
CHIPSEC is a platform security assessment framework for PCs including hardware, system firmware (BIOS/UEFI), and platform components for firmware hacking.


One Response to Critical XSS Flaw Affects WordPress 3.9.2 And Earlier

  1. Alan November 24, 2014 at 11:34 pm #

    This is my most favorite blog, when it comes to Internet security. The news about XSS affecting wordpress, simply mind blowing.