An estimated 86 per cent of WordPress websites harbour a dangerous cross-site scripting (XSS) hole in the popular comment system plugin, in what researcher Jouk Pynnonen calls the most serious flaw in five years. The bug could provide a pathway for attacking visitors’ machines.
The flaw has existed for about four years affecting versions between 3.0 to 3.9.2 but not version 4.0 which handles regular expressions differently.
Version 4.0.1 patched a separate and also critical set of XSS flaws discovered by the internal security team, along with a cross-site request forgery hole.
Klikki Oy security bod Jouko Pynnonen revealed the earlier flaw last week in technical advisory.
“An attacker could exploit the vulnerability by entering carefully crafted comments, containing program code, on WordPress blog posts and pages. Under default settings comments can be entered by anyone without authentication,” Pynnonen said.
“Program code injected in comments would be inadvertently executed in the blog administrator’s web browser when they view the comment. The rogue code could then perform administrative operations by covertly taking over the administrator account.
“Such operations include creating a new administrator account (with a known password), changing the current administrator password, and in the most serious case, executing attacker-supplied PHP code on the server. This grants the attacker operating system level access on the server hosting WordPress.”
The unauthenticated default exploit considering the server-side impact made it “probably the most serious WordPress core vulnerability that has been reported since 2009”.
Pynnonen developed a proof of concept exploit that mopped up evidence of injected script before quietly using the plugin editor to write attacker-supplied PHP code on the server, changing the user’s password, and creating an administrator account.
Attackers could then write more PHP code to the server through the editor instantly executed using an AJAX request to gain operating system level access.
Other plugins that allow unprivileged users to enter HTML text could offer more attack vectors, Pynnonen said.
Pynnonen created a work-around plugin for administrators who could not upgrade their WordPress servers.
Yet a third set of recently patched XSS were discovered by Sucuri researcher Marc-Alexandre Montpas. The stored and reflected XSS in versions 8.3 and below also turned attackers to admins for versions , and permitted blackhat searh engine optimisation innjection into blog posts.
“… the problem is very simple,” Montpas said. “The plugin fails to properly sanitise some of the data it gathers for statistical purposes, which are controlled by the website’s visitors.”
SANS diary scribe Johannes B. Ullrich said the XSS vulnerability was a common underestimated problem.
“XSS does allow an attacker to modify the HTML of the site,” Ullrich said.
“WordPress developers did attempt to implement the necessary safeguards [since] only certain tags are allowed, and even for these tags, the code checked for unsafe attributes.
“Sadly, this check wasn’t done quite right. Remember that browsers will also parse somewhat malformed HTML just fine.” Â®