“If [the script is] triggered by a logged-in administrator, under default settings the attacker can leverage the vulnerability to execute arbitrary code on the server via the plugin and theme editors,” researcher Jouko Pynnönen of Finnish security company Klikki Oy explained in a security advisory published on Sunday.
“Alternatively the attacker could change the administrator’s password, create new administrator accounts, or do whatever else the currently logged-in administrator can do on the target system.”
“The vulnerability bears a similarity to the one reported by Cedric Van Bockhaven in 2014 (patched this week, after 14 months). Instead of using an invalid UTF-8 character to truncate the comment, this time an excessively long comment text is used for the same effect,” Pynnönen pointed out.
“If the comment text is long enough, it will be truncated when inserted in the database. The truncation results in malformed HTML generated on the page.”
Pynnönen provided PoC exploit code, and demonstrated the attack:
He also offered a way for site administrators to prevent exploitation until WordPress comes out with a patch: disable and do not approve any comments.
UPDATE: The bug has been patched in WordPress 4.2.1.