Four-year-old comment security bug affects 86 percent of WordPress sites


Userlevel 7
Badge +48
See also WordPress Releases Security Update Against Critical XSS Vulnerability version 4 was brought out in September and is not vulnerable to it and that updae which was brought out last week was issued to fix cross-scripting issues.
 

Bug allows script attack that could be used to hijack sites or attack visitors.

by Sean Gallagher - Nov 24 2014
 
A Finnish IT company has uncovered a bug in WordPress 3 sites that could be used to launch a wide variety of malicious script-based attacks on site visitors’ browsers. Based on current WordPress usage statistics, the vulnerability could affect up to 86 percent of existing WordPress-powered sites.
The vulnerability, discovered by Jouko Pynnonen of Klikki Oy, allows an attacker to craft a comment on a blog post that includes malicious JavaScript code. On sites that allow comments without authentication—the default setting for WordPress—this could allow anyone to post malicious scripts within comments that could target site visitors or administrators. A proof of concept attack developed by Klikky Oy was able to hijack a WordPress site administrator’s session and create a new WordPress administrative account with a known password, change the current administrative password, and launch malicious PHP code on the server. That means an attacker could essentially lock the existing site administrator out and hijack the WordPress installation for malicious purposes.
 
Full Article

0 replies

Be the first to reply!

Reply

    Cookie policy

    We use cookies to enhance and personalize your experience. If you accept or continue browsing you agree to our cookie policy. Learn more about our cookies.

    Accept cookies Cookie settings