WordPress 0 Day Exploit

WordPress 0 Day Exploit

The WordPress CMS, used by millions of websites has become vulnerable to a zero-day flaw, which means that in order to take full control hackers can use remote code execution on web servers.

The vulnerability was found by Jouko Pynnönen, who works with a Finland-based security firm. The vulnerability is a Cross-Site Scripting (XSS) flaw, incorporated deep into the comments system of WordPress. The versions affected are 3.9.3, 4.1.1, 4.1.2, along with the latest version 4.2.

Why Was the 0-Day Vulnerability Made Public?

Nearly after 14 months of the bug being reported to the team, a cross-site-scripting attack(XSS) vulnerability, similar to the present vulnerability, was patched by WordPress developers.

Due to the possible delay in fixing the hole, Pynnönen declared the details of this crucial zero-day vulnerability in WordPress 4.2 and below, so that the users are aware of the issue beforehand.

Even though the vulnerability was reported to the WordPress team in November 2014, all communication attempts were refused by them.

O-Day Vulnerability Exploitation

Through this vulnerability, a hacker is able to implant malicious JavaScript code in the comments section, which appears at the bottom of blogs and article posts. However, the action should be prevented under normal circumstances.

The hackers can add new administrators, change passwords, or take actions that can only be performed by genuine administrators of the website. This is called a cross-site-scripting attack.

According to a blog post by Pynnönen, “If triggered by a logged-in administrator, under default settings the attacker can leverage the vulnerability to execute arbitrary code on the server via the plugin and theme editors. Alternatively the attacker could change the administrator’s password, create new administrator accounts, or do whatever else the currently logged-in administrator can do on the target system.”

How Does This Exploit Work

The zero-day exploit works by inserting a simple JavaScript code in the form of a comment and then accumulating approximately 66,000 characters or over 64 KB in size.

When the comment is handled by someone who has the website’s WordPress admin rights, the malicious code will be completed without providing any indication to the admin.

WordPress will not automatically publish a comment until and unless the administrator of the site approves the user.

Hackers can clear this limitation by fooling the administrator with their harmless first comment. Once a comment is published, it enables further malicious comments to be approved and published in the same post.

WordPress Patches the 0-Day Vulnerability

The security hole can be fixed by administrators by upgrading their CMS to WordPress 4.2.1.

This version of WordPress reportedly fixes the zero-day vulnerability. So, make sure to update your WordPress website with the latest version of the CMS, along with all its updated plugins.

Let us know what you think