BYEricka Chickowski
XSS flaws are more serious than you'd think.
Last week's release of the WordPress 4.0.1 update offers a good lesson in vulnerability prioritization for security organizations -- namely that security professionals need to stop underestimating cross-site scripting (XSS) vulnerabilities.
The release notes issued by the WordPress team fixed a number of critical vulnerabilities, including a handful of serious XSS vulnerabilities. Alongside this release, an update of the WP-Statistics plug-in fixed another XSS bug found by Securi researchers that could be used to create new administrator accounts, insert SEO spam in blog posts, and perform actions within that site's admin panel. In addition to these flaws, the WordPress crew alluded in their notes last week to a severe XSS flaw in all WordPress versions before 4.0 that was found by the Finnish researcher Jouko Pynnonen. He offered further details about that flaw in the Full Disclosure mailing list last week.
With 86% of WordPress sites still running vulnerable versions, this particular XSS allows attackers to post comments with malicious JavaScript on to WordPress sites that don't authenticate users before they make comments, says Pynnonen, a researcher with the firm Klikki Oy. The malicious code would then execute when it is viewed in a blog, a page, or the administrative dashboard. Pynnonen developed a proof of concept that showed how this could be leveraged to devastating effect.
full article
Login to the community
No account yet? Create an account
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.