It’s been only days since world’s most popular CMS platform, WordPress urged its users to update to a newer security build 4.2.1 due to the discovery of a potentially hackable threat, discovered by one of WordPress’s forum members.
A new threat that has recently surfaced the web sounds much more menacing and might give a hard time to WordPress team. Sucuri researcher David Dede has revealed a new critical cross-site scripting (XSS) vulnerability in a default WordPress plugin that allows attackers to gain control over websites.
The vulnerability lies in the Twenty Fifteen theme and plugin, which is installed in new WordPress sites by default. All those websites that still run on this theme are vulnerable to this XSS attack.
More so, the JetPack plugin offered by WordPress, is also vulnerable to the DOM-based XSS flaw. Currently, Jetpack is being used on over one million websites. The vulnerability basically lies in a simple example.html file and can be removed by deleting the file itself.
The XSS vulnerability is “DOM based,” meaning it resides in the document object model that’s responsible for how text, images, headers, and links are represented in a browser. DOM-based XSS attacks require the target to click a malicious link. Once done, it allows hackers to gain a complete control on website.
Automattic and the WordPress team left a simple example.html file that had the vulnerability embedded. What’s more concerning here is the reach the plugin and theme have combined; they are installed in many cases, by default in all WordPress installations.
A dozen of web hosts have virtually patched the security hole on the sites they host. Here’s the list of hosts who have implemented the changes –