Millions of WordPress sites risk hijacking due to flaw in default theme

Guess what? Unless your site is hosted by one of 11 specific web hosts, it’s time to patch your WordPress installation again!

Netsparker researchers have recently unearthed a vulnerability affecting one popular theme installed by default in all WordPress installations, and which can be exploited by attackers to take control of vulnerable WP sites. The vulnerability has later been also found in one widely-used WP plugin.

The plugin in question is JetPack, and the theme TwentyFifteen. The vulnerability is a DOM-based Cross-Site Scripting (XSS) flaw that arose due to the example.html file in the genericons package.

The bad news is that millions of sites are at risk, and that the Sucuri Security researchers have spotted an exploit for the flaw in the wild days before the vulnerability disclosure.

“In this proof of concept, the XSS printed a javascript alert, but could be used to execute javascript in your browser and take over the site if you are logged in as admin,” Sucuri researchers explained.

The good news is that they have notified a number of web hosts – GoDaddy, HostPapa, DreamHost, ClickHost, Inmotion, WPEngine, Pagely, Pressable, Websynthesis, Site5 and SiteGround – about the flaw, and these hosts moved to virtually patch or harden their customers’ environments a week ago.

The flaw can have a massive impact, but it’s not that severe, as it requires the attackers to convince admins to click on the exploit link while logged into their installation.

Another good news is that the problem is easily fixed. “Remove the unnecessary genericons/example.html file or make sure you have a WAF or IDS that is blocking access to it,” Sucuri advised.

WordPress has also released a critical security update (4.2.2) that eliminates the flaw.

“All affected themes and plugins hosted on WordPress.org (including the Twenty Fifteen default theme) have been updated today by the WordPress security team to address this issue by removing this nonessential file,” WP’s Samuel Sidler announced on Thursday.

“To help protect other Genericons usage, WordPress 4.2.2 proactively scans the wp-content directory for this HTML file and removes it.”