Millions of WordPress Websites at Risk of Hijacking

WordPress released a security upgrade not long after the news broke through the weekend.

The vulnerability, which influences WordPress 4.2 and priors versions, permits malevolent JavaScript to be infused into a comment system, with the code being enacted when the comment is seen in a consumer’s browser, as indicated by security firm Klikki Oy. The malware activates a cross-site scripting (XSS) assault that can steal user information, the Klikki Oy said in a report.

Wordpress administrators are encouraged to update to WordPress 4.2.1. Few WordPress website that are good with and utilize a plugin named Background Update Tester will upgrade consequently.

WordPress is one of the top most-utilized Web publishing system. By the organization’s personal assessment, it runs 23 percent of the website on the Internet, counting huge names, for example, CNN and Times.

Researcher at Klikki Oy, Juoko Pynnonen reported another and unpatched vulnerability in the WordPress system; a same bug was fixed for this present week by WordPress experts, however just 14 months after it was accounted for. WordPress versions 4.2, 4.1.2, 4.1.1, and 3.9.3 are affected.

Jouko Pynnönen said, “If [the script is] triggered by a logged-in administrator, under default settings the attacker can leverage the vulnerability to execute arbitrary code on the server via the plugin and theme editors.”

He added, “Alternatively the attacker could change the administrator’s password, create new administrator accounts, or do whatever else the currently logged-in administrator can do on the target system.”

The vulnerability is triggered by a fault in the way the long comments of 64K in size are handled by WordPress. When these sort of comments are automatically shortened, the result is transformed HTML so the user who is posting the comment can easily get control over those HTML contributes.

“The vulnerability bears a similarity to the one reported by Cedric Van Bockhaven in 2014 (patched this week, after 14 months). Instead of using an invalid UTF-8 character to truncate the comment, this time an excessively long comment text is used for the same effect,” Pynnönen explained.

Pynnonen stated the best option till a patch is available is to switch off the comments and not accept the comments from anyone.

Engineering manager at Rapid7, Tod Beardsley said, “Since these vulnerabilities affect default installations of WordPress, they naturally have a much wider reach, both on the public Internet and in internal, intranet installations. In addition, the latest vulnerability remains unpatched by the vendor, so WordPress administrators should be spending their Monday morning evaluating if a plugin to mitigate the exposure is right for their site, or if comments should be disabled altogether until a patch is available.”

SG (Security Gladiators) is gonna suggest these measure to protect yourself from the vulnerability:

  • Delete the unnecessary plugins and install only those plugins which are necessary.
  • Protect your website via power web application firewall.
  • Always use up-to-date plugins.
  • If you enable commenting system, then install Akismet plugin (it helps a lot).
  • Check out your website daily for updates.
  • Make backups on regular basis.

For more detailed information/instructions please go through this guide.

Not too far ago, on 27th of April (Monday), the organization released a “critical” security update, WP 4.2.1, tending to the vulnerability. (WP did not give back an email for the comment lately.)

Top/Featured Image: By pixelcreatures via Pixabay

Stella Strouvali Stella is a certified writer and zealous wordsmith, a true fan of Placebo, technology, Panionios and wellness. Still, her true passion has to do with eagerly learning new things and passing them on to others. “An unexamined life is not worth living”, to quote Socrates.
Leave a Comment