Worst WordPress hole for five years affects 86% of sites article tells a dangerous cross-site scripting (XSS) hole has been found in WordPress. It will affect millions of sites. An estimated 86 per cent of WordPress websites are vulnerable a dangerous cross-site scripting (XSS) hole in the popular comment system plugin “WP-Statistics”. The WP-Statistics plugin lets attackers inject JavaScript into comments, which can then infect reader computers or those of administrators.
Klikki Oy security bod Pynnonen commented: “An attacker could exploit the vulnerability by entering carefully crafted comments, containing program code, on WordPress blog posts and pages. Under default settings comments can be entered by anyone without authentication” and “probably the most serious WordPress core vulnerability that has been reported since 2009″.
The flaw has existed for about four years affecting versions between 3.0 to 3.9.2 but not in newest version 4.0. Official patches were released on November 20. They have now been deployed automatically to most WordPress sites. Reportedly the Akismet comment plugin now also filters any malicious comments containing the exploit.
So the users of 4.0 WordPress are safe from this, but they should note that version 4.0.1 patched a separate and also critical set of XSS flaws discovered by the internal security team, along with a cross-site request forgery hole.
1 Comment
Tomi Engdahl says:
Four-year-old comment security bug affects 86 percent of WordPress sites
Bug allows script attack that could be used to hijack sites or attack visitors.
http://arstechnica.com/security/2014/11/four-year-old-comment-security-bug-affects-86-percent-of-wordpress-sites/
A Finnish IT company has uncovered a bug in WordPress 3 sites that could be used to launch a wide variety of malicious script-based attacks on site visitors’ browsers. Based on current WordPress usage statistics, the vulnerability could affect up to 86 percent of existing WordPress-powered sites.
The vulnerability, discovered by Jouko Pynnonen of Klikki Oy, allows an attacker to craft a comment on a blog post that includes malicious JavaScript code. On sites that allow comments without authentication—the default setting for WordPress—this could allow anyone to post malicious scripts within comments that could target site visitors or administrators.