Critical XSS vulnerability addressed in WordPress

WordPress version 4.0 is not affected by the critical XSS issue, which could enable an anonymous user to compromise a site.

Released on Thursday, WordPress version 4.0.1 addresses more than 20 vulnerabilities, and WordPress versions 3.9.3, 3.8.5 and 3.7.5 address a critical cross-site scripting (XSS) vulnerability, according to a post.

WordPress version 4.0 is not affected by the XSS issue, which could enable an anonymous user to compromise a site, the post indicates. Daniel Cid, CTO of Sucuri, told SCMagazine.com in a Friday email correspondence that it is the biggest issue receiving a fix.

“It is very simple to exploit and with a well crafted comment, it can lead to a full site compromise,” Cid said. “An attacker can inject JavaScript on a comment that, when viewed by an admin on the comment management page, will force the admin to create a user or do anything the attacker wants. That’s very severe and we will likely start to see it in the wild soon, especially trying to take over sites to inject malware and spam.”

Among the other bugs that are being addressed in WordPress version 4.0.1 are three XSS issues that a contributor or author could use to compromise a site, a cross-site request forgery that could be used to trick a user into changing their password, and an issue involving a denial-of-service when passwords are checked, according to a post.

Additionally, version 4.0.1 provides more protections for server-side request forgery attacks when WordPress makes HTTP requests, and invalidates links in password reset emails if a user remembers their password, logs in and changes their email address, the post indicates, adding a hash collision was addressed that could allow a user’s account to be compromised if they have not logged in since 2008.

Two hardening changes were also made, including better validation of EXIF data being extracted from uploaded photos, the post added.

Sucuri posted on Thursday that users of the WP-Statistics plugin – version 8.3 and lower – are affected by a high risk vulnerability that can enable an attacker to “use Stored [XSS] and Reflected XSS attack vectors to force a victim’s browser to perform administrative actions on its behalf.” Upgrading to version 8.3.1 will address the issue.