Word came today that WordPress has a new problem. It is hard enough to keep on top of maintaining the security of a WordPress site without the constant deluge of security issues. Today, we get word of a cross site scripting attack, or XSS, in the WordPress comment system.WordPress is a content management system that is used as the underlying framework for roughly 186,700 of the top one million websites. To say nothing of the thousands upon thousands of smaller sites that are running WordPress. Let’s face it, the software is user friendly but, not without security issues.The problem that WordPress has is in regards to a stored XSS. The problem occurs when a user leaves javascript in the comment section and is later launched when the comment approver views it. Usually comments are reviewed by someone with admin level privileges. In order for this to work the comment has to be greater than 64 KB in length.From Klikki (h/t Securi): If the comment text is long enough, it will be truncated when inserted in the database. The MySQL TEXT type size limit is 64 kilobytes, so the comment has to be quite long.The truncation results in malformed HTML generated on the page. The attacker can supply any attributes in the allowed HTML tags, in the same way as with the two recently published stored XSS vulnerabilities affecting the WordPress core.So, that is less than ideal. According to the researcher, WordPress has refused to acknowledge the issue since it was first submitted in November of 2014 via the CERT-FI and HackerOne. I find it a bit odd that they would not have responded to something like this. To make matters worse there is a proof of concept posted on the researcher’s site that will no doubt be repurposed in 3…2…1So, what is the fix? Well, for now you should disable your comments and do not view/approve any that are in the queue. It would be wise to have a web application firewall in place to help with this as well. Belt and suspenders and all that.The most recent WordPress software release was on April 21, 2015. At this point there is no word from WordPress (see what I did there) as to when we can expect to see a fix in place.UPDATE: WordPress has released a security update for version 4.2.1 to mitigate this problem. Related content news The end of the road By Dave Lewis May 30, 2017 3 mins Security news WannaCry...ransomware cyberattack as far as the eye can see By Dave Lewis May 15, 2017 4 mins Security news HITB Amsterdam: hackers, waffles and coffee oh my By Dave Lewis Apr 21, 2017 3 mins Security news Fail to patch and wait for the pain By Dave Lewis Apr 20, 2017 3 mins Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe