Update

WordPress promises patch for zero-day "within hours"

WordPress statement hints at no prior notice on disclosure, contrary to researcher claims

wordpress dot org
Credit: Heisenberg Media

Update:

Shortly after this article was posted, WordPress released version 4.2.1, flagging it as a critical update. Website owners are encouraged to update immediately, and automatic updates have started to roll out. More information is here.

However, the release advisory from WordPress still suggests that no prior notification was received from Klikki Oy, something the research firm disputes.

Update (4/28/15): There's no hint, in a statement, Matt Mullenweg tells Salted Hash that WordPress had no prior warning about the XSS flaw. They learned about the issue when it was disclosed publicly.

"[We] found out about this issue when it was published publicly," he said.

Original article below:

In a statement on Monday, Matt Mullenweg, founder of Automattic and lead developer of WordPress, said that developers are working to address a recently disclosed XSS vulnerability in the popular CMS platform.

A patch is expected in the "coming hours."

"The WordPress team was made aware of a XSS issue a few hours ago that we will release an update for shortly," Mullenweg said in a statement to Salted Hash.

"It is a core issue, but the number of sites vulnerable is much smaller than you may think because the vast majority of WordPress-powered sites run Akismet, which blocks this attack. When the fix is tested and ready in the coming hours WordPress users will receive an auto-update and should be safe and protected even if they don't use Akismet."

The statement offers a hint that WordPress didn't receive any prior notice of the flaw before it was disclosed. However, the Finnish company Klikki Oy, which disclosed the Stored XSS vulnerability on Sunday, says otherwise.

Klikki Oy says attempts were made to contact WordPress last November and several times since, but all contact was refused.

"We have tried to reach them by email, via the national authority (CERT-FI), and via HackerOne," the company said in an advisory on the issue.

"No answer of any kind has been received since November 20, 2014. According to our knowledge, their security response team have also refused to answer the Finnish communications regulatory authority who has tried to coordinate resolving the issues we have reported, and staff of HackerOne, which has tried to clarify the status our open bug tickets."

Salted Hash reached out to HackerOne and WordPress. By the time this story went to press, HackerOne was still researching in order to verify the claims made by Klikki Oy.

Update: HackerOne, in a statement, said that they do not have any access to their customer's confidential vulnerability reports as a rule. So they cannot verify the claims made by Klikki Oy.

"At HackerOne we provide our customers with the technology platform to successfully run their own vulnerability coordination program, and as the platform provider HackerOne does not have access to any of our customers confidential vulnerability reports." - Alex Rice, CTO, HackerOne.

However, WordPress responded with the statement above, suggesting that they first learned of the vulnerability once it was fully disclosed. This post will be updated with additional details as they become available.

Discovered by Jouko Pynnönen, the Stored XSS vulnerability impacts current WordPress installations. It was tested against versions 4.2, 4.1.2, and 4.1.1 on MySQL versions 5.1.53 and 5.5.41.

In order to exploit the flaw, an attacker needs to get past the XSS filters by using MySQL column truncation. This is done by injecting JavaScript into the comment field that's long enough to equal 64 kb, which is the equivalent of 65,535 characters; the PoC below uses the character 'A' as an example:

<a title='x onmouseover=alert(unescape(/hello%20world/.source)) style=position:absolute;left:0;top:0;width:5000px;height:5000px AAAAAAAAAAAA [64 kb] ...'></a>

This most recent flaw is similar to one that was recently patched after more than a year, which used an invalid character to truncate the comment.

Until a patch is released, WordPress says Akismet will stop attacks, which most installs have activated.

Otherwise, Klikki Oy urges site operators to reject queued comments, and to disable comments across the site. The double-sided block prevents accounts with pre-approved comment posting rights from being exploited in order to target the XSS.

A video demonstrating the vulnerability is below:

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.