WordPress Sites Are Vulnerable To Hacker Hijacking Due To A XSS Bug
Security firm Sucuri has discovered a cross-site scripting (XSS) vulnerability in WordPress that can allow hackers to gain full access to any WordPress website. The bug is leaving millions of users at risk because it is a part of the WordPress theme known as Twenty Fifteen which is installed by default for all users. Even if you aren’t on the default Twenty Fifteen theme, you are still at risk if you are among the million users of the JetPack plugin for WordPress. Before telling you the cure for this bug, we would take some time to explain the vulnerability and how it affects any WordPress website.
Both the Twenty Fifteen theme and JetPack plugin contain something called as the ‘genericons’ package. The XSS vulnerability resides in the Document Object Model (DOM) of the ‘genericons’ package. DOM is responsible for how content are represented in a browser. We have included a link about DOM-based XSS vulnerabilities courtesy of Open Web Application Security Project in the last paragraph to serve as a further read for professionals. If hackers want to exploit this vulnerability in a WordPress website they have to use a bit of social engineering to lure the website owner to click on a malicious link. Once the unsuspecting website administrator clicks on the link the payload executes on the browser instead of the server and the hacker is able to gain full access to the website.
The obvious question now is how to employ safeguards until makers of WordPress patch the vulnerability? The simple cure is to delete the example.html file that is included in the Twenty Fifteen theme. If you are still feeling paranoid and do not wish to delete the aforementioned file you can employ a web application firewall or intrusion detection system to block access to it. Major website hosts such as GoDaddy, HostPapa, DreamHost and many others have been notified about the vulnerability and all of them have already patched the vulnerability.
As promised here is #-Link-Snipped-# for the list of DOM-based XSS vulnerabilities, the #-Link-Snipped-# and its coverage on #-Link-Snipped-#.
Both the Twenty Fifteen theme and JetPack plugin contain something called as the ‘genericons’ package. The XSS vulnerability resides in the Document Object Model (DOM) of the ‘genericons’ package. DOM is responsible for how content are represented in a browser. We have included a link about DOM-based XSS vulnerabilities courtesy of Open Web Application Security Project in the last paragraph to serve as a further read for professionals. If hackers want to exploit this vulnerability in a WordPress website they have to use a bit of social engineering to lure the website owner to click on a malicious link. Once the unsuspecting website administrator clicks on the link the payload executes on the browser instead of the server and the hacker is able to gain full access to the website.
The obvious question now is how to employ safeguards until makers of WordPress patch the vulnerability? The simple cure is to delete the example.html file that is included in the Twenty Fifteen theme. If you are still feeling paranoid and do not wish to delete the aforementioned file you can employ a web application firewall or intrusion detection system to block access to it. Major website hosts such as GoDaddy, HostPapa, DreamHost and many others have been notified about the vulnerability and all of them have already patched the vulnerability.
As promised here is #-Link-Snipped-# for the list of DOM-based XSS vulnerabilities, the #-Link-Snipped-# and its coverage on #-Link-Snipped-#.
0