WordPress Sites Are Vulnerable To Hacker Hijacking Due To A XSS Bug
Security firm Sucuri has discovered a cross-site scripting (XSS) vulnerability in WordPress that can allow hackers to gain full access to any WordPress website. The bug is leaving millions of users at risk because it is a part of the WordPress theme known as Twenty Fifteen which is installed by default for all users. Even if you aren’t on the default Twenty Fifteen theme, you are still at risk if you are among the million users of the JetPack plugin for WordPress. Before telling you the cure for this bug, we would take some time to explain the vulnerability and how it affects any WordPress website.
Both the Twenty Fifteen theme and JetPack plugin contain something called as the ‘genericons’ package. The XSS vulnerability resides in the Document Object Model (DOM) of the ‘genericons’ package. DOM is responsible for how content are represented in a browser. We have included a link about DOM-based XSS vulnerabilities courtesy of Open Web Application Security Project in the last paragraph to serve as a further read for professionals. If hackers want to exploit this vulnerability in a WordPress website they have to use a bit of social engineering to lure the website owner to click on a malicious link. Once the unsuspecting website administrator clicks on the link the payload executes on the browser instead of the server and the hacker is able to gain full access to the website.
The obvious question now is how to employ safeguards until makers of WordPress patch the vulnerability? The simple cure is to delete the example.html file that is included in the Twenty Fifteen theme. If you are still feeling paranoid and do not wish to delete the aforementioned file you can employ a web application firewall or intrusion detection system to block access to it. Major website hosts such as GoDaddy, HostPapa, DreamHost and many others have been notified about the vulnerability and all of them have already patched the vulnerability.
As promised here is #-Link-Snipped-# for the list of DOM-based XSS vulnerabilities, the #-Link-Snipped-# and its coverage on #-Link-Snipped-#.
Both the Twenty Fifteen theme and JetPack plugin contain something called as the ‘genericons’ package. The XSS vulnerability resides in the Document Object Model (DOM) of the ‘genericons’ package. DOM is responsible for how content are represented in a browser. We have included a link about DOM-based XSS vulnerabilities courtesy of Open Web Application Security Project in the last paragraph to serve as a further read for professionals. If hackers want to exploit this vulnerability in a WordPress website they have to use a bit of social engineering to lure the website owner to click on a malicious link. Once the unsuspecting website administrator clicks on the link the payload executes on the browser instead of the server and the hacker is able to gain full access to the website.
The obvious question now is how to employ safeguards until makers of WordPress patch the vulnerability? The simple cure is to delete the example.html file that is included in the Twenty Fifteen theme. If you are still feeling paranoid and do not wish to delete the aforementioned file you can employ a web application firewall or intrusion detection system to block access to it. Major website hosts such as GoDaddy, HostPapa, DreamHost and many others have been notified about the vulnerability and all of them have already patched the vulnerability.
As promised here is #-Link-Snipped-# for the list of DOM-based XSS vulnerabilities, the #-Link-Snipped-# and its coverage on #-Link-Snipped-#.
Replies
-
Steven DoigI have an up to date version of Twenty Fifteen, version 1.2, and there is no example.html in the twentyfifteen folder.
You are reading an archived discussion.
Related Posts
The Cyanogen team has hugged two important players in the mobile domain: TrueCaller and OnePlus. The first hug allows the next update of Cyanogen mobile operating system to feature a...
I have passed BTECH in 2013 in electrical and electronics engineering. i was having interest on c & c++ programming during college life. now i wanna join class either for...
It looks like many contest participants have started receiving certificates. We would love to see your photos with certificates.
Spread the love. Upload your photos in replies below.
Huawei has managed to attract lots of attention for its two new mid-budget smartphones called Honor 4C and Honor Bee priced at Rs. 8999 and Rs. 4999 respectively. These Android...
I've been thinking about this for a while now, with so much content and discussions brewing around gender inequality.
Man and woman came to Earth together as equals, and they...