• United States




Another day another WordPress 0-day

Apr 27, 20152 mins
Application Security

Word came today that WordPress has a new problem. It is hard enough to keep on top of maintaining the security of a WordPress site without the constant deluge of security issues. Today, we get word of a cross site scripting attack, or XSS, in the WordPress comment system.

WordPress is a content management system that is used as the underlying framework for roughly 186,700 of the top one million websites. To say nothing of the thousands upon thousands of smaller sites that are running WordPress. Let’s face it, the software is user friendly but, not without security issues.

The problem that WordPress has is in regards to a stored XSS. The problem occurs when a user leaves javascript in the comment section and is later launched when the comment approver views it. Usually comments are reviewed by someone with admin level privileges. In order for this to work the comment has to be greater than 64 KB in length.

From Klikki (h/t Securi):

If the comment text is long enough, it will be truncated when inserted in the database. The MySQL TEXT type size limit is 64 kilobytes, so the comment has to be quite long.

The truncation results in malformed HTML generated on the page. The attacker can supply any attributes in the allowed HTML tags, in the same way as with the two recently published stored XSS vulnerabilities affecting the WordPress core.

So, that is less than ideal. According to the researcher, WordPress has refused to acknowledge the issue since it was first submitted in November of 2014 via the CERT-FI and HackerOne. I find it a bit odd that they would not have responded to something like this.

To make matters worse there is a proof of concept posted on the researcher’s site that will no doubt be repurposed in 3…2…1

So, what is the fix? Well, for now you should disable your comments and do not view/approve any that are in the queue. It would be wise to have a web application firewall in place to help with this as well. Belt and suspenders and all that.

The most recent WordPress software release was on April 21, 2015. At this point there is no word from WordPress (see what I did there) as to when we can expect to see a fix in place.

UPDATE: WordPress has released a security update for version 4.2.1 to mitigate this problem. 


Dave Lewis has over two decades of industry experience. He has extensive experience in IT security operations and management. Currently, Dave is a Global Security Advocate for Akamai Technologies. He is the founder of the security site Liquidmatrix Security Digest and co-host of the Liquidmatrix podcast.

The opinions expressed in this blog are those of Dave Lewis and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author