Another day another Wordpress 0-day

xss wordpress

Word came today that Wordpress has a new problem. It is hard enough to keep on top of maintaining the security of a Wordpress site without the constant deluge of security issues. Today, we get word of a cross site scripting attack, or XSS, in the Wordpress comment system.

Wordpress is a content management system that is used as the underlying framework for roughly 186,700 of the top one million websites. To say nothing of the thousands upon thousands of smaller sites that are running Wordpress. Let’s face it, the software is user friendly but, not without security issues.

The problem that Wordpress has is in regards to a stored XSS. The problem occurs when a user leaves javascript in the comment section and is later launched when the comment approver views it. Usually comments are reviewed by someone with admin level privileges. In order for this to work the comment has to be greater than 64 KB in length.

From Klikki (h/t Securi):

If the comment text is long enough, it will be truncated when inserted in the database. The MySQL TEXT type size limit is 64 kilobytes, so the comment has to be quite long.

The truncation results in malformed HTML generated on the page. The attacker can supply any attributes in the allowed HTML tags, in the same way as with the two recently published stored XSS vulnerabilities affecting the WordPress core.

So, that is less than ideal. According to the researcher, Wordpress has refused to acknowledge the issue since it was first submitted in November of 2014 via the CERT-FI and HackerOne. I find it a bit odd that they would not have responded to something like this.

To make matters worse there is a proof of concept posted on the researcher's site that will no doubt be repurposed in 3...2...1

So, what is the fix? Well, for now you should disable your comments and do not view/approve any that are in the queue. It would be wise to have a web application firewall in place to help with this as well. Belt and suspenders and all that.

The most recent Wordpress software release was on April 21, 2015. At this point there is no word from Wordpress (see what I did there) as to when we can expect to see a fix in place.

UPDATE: Wordpress has released a security update for version 4.2.1 to mitigate this problem. 

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.