WordPress Critical Zero-Day Vulnerability Fixed In A Hurry

The New Acunetix V12 Engine


So this is an interesting announcement due to the discussion points it brings up about responsible disclosure, it seems like in this case a researcher published his findings about a WordPress critical zero-day vulnerability without informing WordPress before hand.

WordPress Critical Zero-Day Vulnerability Fixed In A Hurry

And they got it fixed REAL quickly, where as in a previous (pretty similar) case – they took 14 months to fix it, leaving their users at risk for that period.

WordPress 4.2.1 was released on Monday to address a critical zero-day vulnerability disclosed on Sunday by Finnish researcher Jouko Pynnönen of Klikki Oy. The expert published the details of the security bug without notifying WordPress because he was displeased with the way developers handled his recent vulnerability reports.

The stored cross-site scripting (XSS) vulnerability disclosed by Pynnonen is similar to a flaw discovered by Belgian researcher Cedric Van Bockhaven, which WordPress fixed last week with the release of version 4.1.2, more than a year after it was reported. The bug, which affects WordPress 4.2 and earlier, can be exploited by an unauthenticated attacker to execute arbitrary code via very long comments that get truncated when they’re saved into the database.

“The attacker is sending fragments of HTML code to the server that contains JavaScript in it. WordPress tries to verify the content, but misses the embedded script. This specific exploit is because the attacker sends very long content – over 64Kb, which is truncated in the database,” Jeff Williams, CTO of Contrast Security, explained via email. “[When] WordPress sends that data back to the browser as part of a webpage, the script executes.”

“That would be enough for an interesting attack, but this particular exploit goes further. When the attack is executed on an administrator, it uses the administrative privilege to install plugins and execute content directly on the server. Most XSS problems are not exploitable in a way that allows a complete remote host takeover,” Williams added.


This is a pretty clever bug, and pretty dangerous too as when a comment is viewed by someone logged in as admin – the site can basically be hijacked totally.

For an XSS attack – this is pretty serious.

The comment truncation flaw reported by Van Bockhaven was addressed by WordPress only after 14 months. However, Pynnonen’s approach forced the WordPress team to release a patch within hours.

Before the fix was released, website owners running a self-hosted version of WordPress were advised to install the Askimet anti-spam plugin in order to protect themselves against potential attacks.

Pynnonen said he decided not to notify WordPress before making the vulnerability public because a different stored XSS flaw that he reported in November is still unpatched. His attempts to obtain information from WordPress on the status of a patch were unsuccessful, even after he tried contacting developers via HackerOne and CERT Finland (CERT-FI).

Furthermore, WordPress last year promised the researcher a minimum bounty of $2,000 for responsibly disclosing a critical bug affecting WordPress versions prior to 4.0, but they only awarded him $100.

“I don’t think it’s my job to spend months begging for the security team to communicate with me about security vulnerabilities. It’s their job and responsibility to communicate with researchers who try to help them and their customers. And if they ‘pro-actively’ and spontaneously offer me a bug bounty, I think it would be appropriate for them to keep their word,” Pynnonen told SecurityWeek. “I’m sure many people think the disclosure was irresponsible. But instead of months or years, the fix was produced in a few hours. During this time users were aware of the threat and could take precautions.”

Williams believes WordPress is to blame for incidents like this one.

Their Bug Bounty payouts seem pretty lame too, which doesn’t really encourage researchers and vulnerability developers to follow the path of responsible disclosure.

Compound that with their tardy reaction to serious bugs, and you get frustrated bug-hunters – like Jouko Pynnönen in this case.

Source: SecurityWeek

Posted in: Exploits/Vulnerabilities, Web Hacking

, , , ,


Latest Posts:


Insecure software versions are a problem Web Security Stats Show XSS & Outdated Software Are Major Problems
Netsparker just published some anonymized Web Security Stats about the security vulnerabilities their online solution identified on their users’ web applications and web services during the last 3 years.
CTFR - Abuse Certificate Transparency Logs For HTTPS Subdomains CTFR – Abuse Certificate Transparency Logs For HTTPS Subdomains
CTFR is a Python-based tool to Abuse Certificate Transparency Logs to get subdomains from a HTTPS website in a few seconds.
testssl.sh - Test SSL Security Including Ciphers, Protocols & Detect Flaws testssl.sh – Test SSL Security Including Ciphers, Protocols & Detect Flaws
testssl.sh is a free command line tool to test SSL security, it checks a server's service on any port for the support of TLS/SSL ciphers, protocols as well as recent cryptographic flaws and more.
Four Year Old libSSH Bug Leaves Servers Wide Open Four Year Old libssh Bug Leaves Servers Wide Open
A fairly serious 4-year old libssh bug has left servers vulnerable to remote compromise, fortunately, the attack surface isn't that big as neither OpenSSH or the GitHub implementation are affected.
CHIPSEC - Platform Security Assessment Framework CHIPSEC – Platform Security Assessment Framework For Firmware Hacking
CHIPSEC is a platform security assessment framework for PCs including hardware, system firmware (BIOS/UEFI), and platform components for firmware hacking.
How To Recover When Your Website Got Hacked How To Recover When Your Website Got Hacked
The array of easily available Hacking Tools out there now is astounding, combined with self-propagating malware, people often come to me when their website got hacked and they don't know what to do, or even where to start.


Comments are closed.