WordPress 5.1.1 Fixes XSS Vulnerability Leading to Website Takeovers – BleepingComputerWordPress
The WordPress team fixed a software flaw introduced in the 5.1 release that could allow potential attackers to perform stored cross-site scripting (XSS) attacks with the help of maliciously crafted comments on WordPress websites with the comments module enabled.
The vulnerability patched in WordPress 5.1.1 would make it possible for bad actors to take over websites using a cross-site request forgery (CSRF) vulnerability by luring a logged on administrator into visiting a malicious website containing an XSS payload.
Next, the XSS payload is loaded and executed with the help of a hidden iFrame, allowing unauthenticated attackers to execute arbitrary HTML and script code, potentially taking over the vulnerable WordPress websites attacked.
“The CSRF exploit abuses multiple logic flaws and sanitization errors that when combined lead to Remote Code Execution and a full site takeover,” according to RIPS Technologies.
The WordPress team thanked Simon Scannell, the RIPS Technologies researcher who reported the issue, in the 5.1.1 release announcement:
This release also includes a pair of security fixes that handle how comments are filtered and then stored in the database. With a maliciously crafted comment, a WordPress post was vulnerable to cross-site scripting. [..] Props to Simon Scannell of RIPS Technologies who discovered this flaw independent of some work that was being done by members of the core security team.
As explained by Scannell in his analysis of the exploit chain which starts with a CSRF vulnerability, “the chain allows for any WordPress site with default settings to be taken over by an attacker, simply by luring an administrator of that website onto a malicious website.”
Also, “The victim administrator does not notice anything on the website of the attacker and does not have to engage in any other form of interaction, other than visiting the website set up by the attacker.”
While Scannell’s initial issue report from October 10 mentioned “that it is possible to inject more HTML tags than should be allowed via CSRF to WordPress,” the researchers subsequently managed “to escalate the additional HTML injection to a Stored XSS vulnerability.”
As a mitigation measure for WordPress admins that can’t immediately update their installation to the patched 5.1.1 release, Scannell recommends disabling the comments and logging out before visiting other websites.
WordPress core contributor Peter Wilson said that around 20,000 websites would have been affected by the patched XSS bug, with:
Gary Pendergast, also a WordPress core contributor, argued:”Of those 20k potentially affected sites, ~4k are running WordPress 5.0, so these are the sites that are likely to upgrade to 5.1 as soon as its released. For the themes that use wp_print_scripts(), most of them check if comment threading is turned off before printing it, so a reasonable workaround is to turn that off.”
On the other hand, the researcher who found and reported the bug says that “The vulnerabilities exist in WordPress versions prior to 5.1.1 and is exploitable with default settings. WordPress is used by over 33% of all websites on the internet, according to its own download page. Considering that comments are a core feature of blogs and are enabled by default, the vulnerability affected millions of sites.”
- Shopify (TSX:SHOP) Stock: Ready to Make $1 Million? – The Motley Fool Canada
- What WordPress Templates help you Sell more online? | South Florida Caribbean News – South Florida Caribbean News
- Shepherd Public Schools plans online and in-person learning options for the upcoming school year – The Morning Sun
- WordPress Accessibility! – coloradoboulevard.net
- Persistent WordPress User Injection – Security Boulevard