Critical XSS flaws patched in WordPress and popular plug-in

‘);//–“;
var adDivString = “”;
placementDiff = applyInsert($(this), adDivString);
if (debug) {
console.log(“Just placed an ad and the placementDiff is: ” + placementDiff);
}
placementTarget = cumulativeHeight + placementDiff + interModuleHeight + adHeightBuffer;
}
else {
var moduleDivString = “”;
var elementId = “drr-mod-“+moduleCounter;
moduleDivString = “”;
modules.push(elementId);

placementDiff = applyInsert($(this), moduleDivString);
if (debug) {
console.log(“Just placed a module and the placementDiff is: ” + placementDiff);
}
placementTarget = cumulativeHeight + placementDiff + interModuleHeight + moduleHeightBuffer;
moduleCounter++;
}
loopCounter++;
}
// Avoid placing elements too soon due to non-large figures inflating the cumulative height
if ($(this).is(“figure”) !$(this).is(“figure.large”)) {
cumulativeHeight += grafHeight;
}
else {
cumulativeHeight += $(this).height() + grafHeight;
}
}
});

// clone Related Stories module m-15 to come in after 2nd para in article body for mobile breakpoint display
var $relatedStories = $(‘.related-promo-wrapper’);
if ($relatedStories.length) {
var $relatedStoriesClone = $relatedStories.clone();
$relatedStoriesClone.insertAfter( “#drr-container p:eq(1)”);
}

var $insiderPromo = $(‘.insider-promo-wrapper’);
if ($insiderPromo.length) {
var $insiderPromoClone = $insiderPromo.clone();
$insiderPromoClone.insertAfter( “#drr-container p:eq(1)”);
}

//place left side element
cumulativeHeight = 0;
var leftPlacementTarget = tagHeight = leftPlacementTarget) {
if (debug) {
console.log(“congratulations… we’ve passed the initial start point”);
}
if (leftPlacementIndex == null) {
//it’s not good enough to not be a left avoid – it also shouldn’t be a

with an immediately preceding small or medium image left avoid.
if (!isLeftAvoid($(this)) noPrevFigures($(this)) ) {
leftPlacementIndex = $(this).index();
$leftPlacementElement = $(this);
leftPlacementLookaheadStart = cumulativeHeight;
if (debug) {
console.log(“is not a left avoid and no prev figures. ########## set placementIndex (“+leftPlacementIndex+”) and lookaheadStart (“+leftPlacementLookaheadStart+”) ##########”);
}
} else {
if (debug) {
console.log(“is a left avoid or has previous figures. continue”);
}
}
} else {
if (debug) {
console.log(“#### leftPlacementIndex already set to “+leftPlacementIndex+”. looking ahead…”);
}
//not null; has been set
if ((cumulativeHeight – leftPlacementLookaheadStart) leftIntervalHeight) {
if (debug) {
console.log(“###### THRESHOLD REACHED. LOOKAHEAD COMPLETE. END ###### (cumulativeHeight – leftPlacementLookaheadStart) (“+(cumulativeHeight-leftPlacementLookaheadStart)+”) leftIntervalHeight (“+leftIntervalHeight+”).”);
}
return false;
} else {
if (debug) {
console.log(“threshold not reached: (cumulativeHeight – leftPlacementLookaheadStart) (“+(cumulativeHeight-leftPlacementLookaheadStart)+”) tags
if (!(isLeftAvoid($(this)) ($(this).hasClass(‘small’) || $(this).hasClass(‘inline-small’) || $(this).hasClass(‘medium’) || $(this).hasClass(‘inline-medium’) || $(this).hasClass(‘apart’) ))) {
cumulativeHeight += $(this).height() + grafHeight;
}
if (debug) {
console.log(“——————– set cumulativeHeight(“+cumulativeHeight+”) —————“);
console.log(“”);
}
}
});
}

if (leftPlacementIndex != null elementNotNearEnd($leftPlacementElement, leftPixelWindow)) {
if (debug) {
console.log(” insert into index “+leftPlacementIndex);
}
$(“#drr-container”).children().eq(leftPlacementIndex).before(“

“);
}

IDG.GPT.trackOmniture();

// Add Right rail module content
for (var i=0; i= 0) {
var a = document.createElement(‘a’);
a.href = document.referrer;
var uriParts = a.pathname.split(‘/’);
a = ”;
if (typeof uriParts[3] == ‘undefined’) {
epoParams += “typeId=” + defaultTypeId + “referrer=home”; // default is ‘home’ behavior
}
else {
var refCatSlug = uriParts[3];
epoParams += “catSlug=” + refCatSlug + “referrer=article”;
}
}
// From SEARCH: Show article with catId same as current article
else if (document.referrer.indexOf(“google”) = 0 || document.referrer.indexOf(“yahoo”) = 0 || document.referrer.indexOf(“bing”) = 0) {
var categories = [3679];
if (categories instanceof Array categories.length 0) {
var primaryCatId = categories[0];
epoParams += “catId=” + primaryCatId + “referrer=search”;
}
else {
epoParams += “typeId=” + defaultTypeId + “referrer=home”; // default is ‘home’ behavior
}
}
// Default is to show like coming from homepage
else {

epoParams += “displayId=11referrer=home”;

// default is ‘home’ behavior
}
return epoParams;
}

/**
* @param jqo Original jquery object target
* @param divString The div to be inserted.
* @return Difference in height between original placement target and final target.
* Checks first 6 elements for an allowable placement (600 pixel window).
* If none, check nearby for elements that are not right avoids.
* If none, place element before current target.
*/
function applyInsert(jqo, divString) {
if (debug) {
console.log(“applyInsert at top and jqo index is: ” + jqo.index());
}

for (var i=0; i 0) {
children = $(“#drr-container”).children().slice(jqo.index(), allowElement.index() );
}
else {
children = $(“#drr-container”).children().slice(allowElement.index(), jqo.index());

}
if (children != null) {
children.each(function(i) {
if (debug) {
console.log(“About to add this element’s height to heigh diff offset”);
console.log($(this));
}
height += $(this).height() + grafHeight;
});
}
if (offset 300) {
if (debug) {
console.log(“isRightAvoid: found pre. return true”);
}
return true;
}
if (jqo.is(“figure”) jqo.hasClass(‘large’)) {
if (debug) {
console.log(“isRightAvoid: found figure.large return true”);
}
return true;
}
if (jqo.is(“figure”) jqo.hasClass(‘medium’) jqo.hasClass(‘inline’)) {
if (debug) {
console.log(“isRightAvoid: found figure has class medium and inline.”);
}
return true;
}

if (jqo.is(‘div’) jqo.hasClass(‘table-wrapper’)) {
if (debug) {
console.log(“isRightAvoid: found div with class table-wrapper”);
}
return true;
}
if (jqo.is(‘aside’)) {
if (jqo.hasClass(‘sidebar’) !jqo.hasClass(‘medium’)) {
if (debug) {
console.log(“isRightAvoid: found aside with class sidebar, without class medium”);
}
return true;
}
if (jqo.hasClass(‘statsTable’)) {
if (debug) {
console.log(“isRightAvoid: found aside with class statsTable”);
}
return true;
}
}
if (jqo.hasClass(‘download-asset’)) {
if (debug) {
console.log(“isRightAvoid: found class download-asset return true”);
}
return true;
}
if (jqo.hasClass(‘tableLarge’)) {
if (debug) {
console.log(“isRightAvoid: found class tableLarge return true”);
}
return true;
}
if (jqo.hasClass(‘reject’)) {
if (debug) {
console.log(“isRightAvoid: found class reject. return true”);
}
return true;
}
if (jqo.is(‘table’) jqo.hasClass(‘scorecard’)) {
if (debug) {
console.log(“isRightAvoid: found div with class scorecard”);
}
return true;
}
}
return false;
}

// Return true if element has class ‘reject’: will not place drr modules/ads next to these elements
function isRightReject(jqo) {
console.log(“in isRightReject”);
if (jqo != null) {
if (jqo.hasClass(“reject”)) {
if (debug) {
console.log(“isRightReject: found ‘reject’ class”);
}
return true;
}
return false;
}
return false;
}

// Returns true if height of all elements after this one is more than 500; false otherwise
function elementNotNearEnd(element, pixelWindow) {
if (pixelWindow == null) {
pixelWindow = 500;
}
if (element == null) {
return false;
}
var remainingHeight = 0;
var children = $(“#drr-container”).children().slice(element.index());
if (children == null) {
return false;
}
children.each(function(i){
remainingHeight += $(this).height();
});
if ( remainingHeight pixelWindow) {
return true;
}
else {
if (debug) {
console.log(“Element too close to end. Remaining height is: ” + remainingHeight + ” and window is ” + pixelWindow);
}
return false;
}
}

/**
* Return true if need to avoid this element when placing left module.
*/
function isLeftAvoid(jqo) {
if (jqo.is(“figure”)) {
if (debug) {
console.log(“isLeftAvoid: found figure. return true”);
}
return true;
}
if (jqo.is(“aside.pullquote”)) {
if (debug) {
console.log(“isLeftAvoid: found pullquote. return true”);
}
return true;
}
if (jqo.is(“pre”)) {
if (debug) {
console.log(“isLeftAvoid: found pre. return true”);
}
return true;
}
if (jqo.is(“div.gist”)) {
if (debug) {
console.log(“isLeftAvoid: found github code block. return true”);
}
return true;
}

if (jqo.is(“aside”) jqo.hasClass(“sidebar”) jqo.hasClass(“medium”)) {
if (debug) {
console.log(“isLeftAvoid: found medium sidebar. return true”);
}
return true;
}

if (jqo.hasClass(“statsTable”)) {
if (debug) {
console.log(“isLeftAvoid: found class statsTable. return true”);
}
return true;
}
return false;
}

/**
* return true if there are no figures before the target placement that might bleed down into placement element
*/
function noPrevFigures($originalTarget) {
var targetIndex = $originalTarget.index();
var numElementsLookBack = 5;
var figureIndex = null;
var figureHeight = null;
var startIndex = targetIndex – numElementsLookBack

New security updates released for the WordPress content management system and one of its popular plug-ins fix cross-site scripting (XSS) vulnerabilities that could allow attackers to take control of websites.

The WordPress development team released Thursday WordPress 4.0.1, 3.9.3, 3.8.5 and 3.7.5 as critical security updates.

The 3.9.3, 3.8.5 and 3.7.5 updates address an XSS vulnerability in the comment boxes of WordPress posts and pages. An attacker could exploit this flaw to create comments with malicious JavaScript code embedded in them that would get executed by the browsers of users seeing those comments.

“In the most obvious scenario the attacker leaves a comment containing the JavaScript and some links in order to put the comment in the moderation queue,” said Jouko Pynnonen, the security researcher who found the flaw, in an advisory. “When a blog administrator goes to the Dashboard/Comments section to review new comments, the JavaScript gets executed. The script can then perform operations with administrator privileges.”

Such a rogue operation can be the creation of a second WordPress administrator account with an attacker-specified password. What makes things worse is that the flaw can typically be exploited without authentication, because the action of posting a comment on a WordPress blog does not require an account by default.

The comment XSS vulnerability only affects WordPress 3.9.2 and earlier versions, not WordPress 4.0. However, the 4.0.1 update, as well as the 3.x ones, also address three other XSS flaws that can be used to compromise WordPress sites if the attacker has access to a contributor or author account on them.

The new releases also fix a cross-site request forgery flaw that could be used to trick a user into changing their password, as well as a denial-of-service issue.

Separately, the developers of WP-Statistics, a WordPress plug-in that gathers and displays visitor statistics, issued an update to fix a high-risk XSS flaw that’s similar to the ones fixed in the content management system itself.

“The plugin fails to properly sanitize some of the data it gathers for statistical purposes, which are controlled by the website’s visitors,” said Marc-Alexandre Montpas, a researcher at Web security firm Sucuri, in a blog post. “If an attacker decided to put malicious Javascript code in the affected parameter, it would be saved in the database and printed as-is in the administrative panel, forcing the victim’s browser to perform background tasks on its behalf.”

The Sucuri researchers were able to leverage the flaw to create a new admin account on a test site.

Users of WP-Statistics are advised to update to version 8.3.1 of the plug-in as soon as possible in order to protect their sites. WP-Statistics has been downloaded over 830,000 times from the official WordPress plug-in repository.

WordPress sites are frequently targeted by cybercriminals who rely on compromised legitimate sites for many of their malicious activities, from hosting spam and malware to launching drive-by download attacks against Web users.