Millions of WordPress websites in danger due to easily exploitable bug

A new WordPress version has been released, and you better update to it, as it patches a critical cross-site scripting flaw that can be exploited by attackers to compromise your site.

The vulnerability has ben discovered by Jouko Pynnonen, CEO of Finnish IT company Klikki Oy, and affects version 3.0 of the popular CMS, which is used by at least 86 percent of WordPress sites around the world, meaning that millions of websites are in danger. Version 4.0 is not affected.

“An attacker could exploit the vulnerability by entering carefully crafted comments, containing program code, on WordPress blog posts and pages. Under default settings comments can be entered by anyone without authentication (login),” the company researchers explained.

“Program code injected in comments would be inadvertedly executed in the blog administrator’s web browser when they view the comment. The rogue code could then perform administrative operations by covertly taking over the administror account.”

To prove their point, they have created proof-of-concept exploits that allowed them to create a new admin account, change the current administrator password, and execute attacker-supplied PHP code on the server, which can result in the attacker to have operating system level access on the server hosting WordPress.

More attack scenarios can be found here.

The flaw is extremely easy to exploit, and admins of WordPress sites are advised to implement the update as soon as possible – preferably immediately.

“Klikki Oy reported the vulnerability on September 26 and has worked with the vendor to solve the problem. Official patches were released on November 20. They have now been deployed automatically to most WordPress sites,” the company added.

If, for whatever reason, you can’t update your WordPress server, the company has created a workaround plugin that neutralizes the bug.

WordPress 4.0.1 also solves a host of other security issues and bugs.

As a side note: if you’re using the WP-Statistics WordPress plugin, you should update it as well, as it sports an XSS vulnerabilities that can be exploited to “create new administrator account[s], insert SEO spam in legitimate blog posts, and a number of other actions within the WordPress’s admin panel.”