So it’s been a while since we’ve talked about any flaws in WordPress – because usually they are pretty dull and require such an obscure set of circumstances, that they are unlikely to ever occur in the wild.
The most recent time was this year actually, but was a DoS attack, which is not THAT damaging – XML Quadratic Blowup Attack Blows Up WordPress & Drupal.
But this, this time it’s different – this one is pretty seriously. Fortunately it’s not a vulnerability in the latest version of WordPress (4.0) but only affects those people still sticking to the latest version on the 3.x branch (3.9.2 or below).
New security updates released for the WordPress content management system and one of its popular plug-ins fix cross-site scripting (XSS) vulnerabilities that could allow attackers to take control of websites.
Such a rogue operation can be the creation of a second WordPress administrator account with an attacker-specified password. What makes things worse is that the flaw can typically be exploited without authentication, because the action of posting a comment on a WordPress blog does not require an account by default.
Obviously if you’ve gone the ‘cloud’ way and don’t allow ANY user input at all, and are using only Facebook Comments/Disqus/LiveFyre etc then you are safe.
The comment XSS vulnerability only affects WordPress 3.9.2 and earlier versions, not WordPress 4.0. However, the 4.0.1 update, as well as the 3.x ones, also address three other XSS flaws that can be used to compromise WordPress sites if the attacker has access to a contributor or author account on them.
The new releases also fix a cross-site request forgery flaw that could be used to trick a user into changing their password, as well as a denial-of-service issue.
Separately, the developers of WP-Statistics, a WordPress plug-in that gathers and displays visitor statistics, issued an update to fix a high-risk XSS flaw that’s similar to the ones fixed in the content management system itself.
The Sucuri researchers were able to leverage the flaw to create a new admin account on a test site.
As a side note, there is also a similar vulnerability in the popular plug-in WP-Statistics, which also fails to sanitize data and falls foul to the same kind of XSS (which allows addition of an admin account by the malicious user).
There’s an update available for the plugin, so if you’re usint it – get it updated! And of course update WordPress core as well, if your auto-updates failed.
Source: Network World