Yesterday on Twitter, Dr.-Ing. Mario Heiderich of security firm Cure53 announced an unauthenticated cross-site scripting flaw in WordPress version 4.5, the current version as of the announcement, and below.

wp-xss-1

Cross-site scripting, or XSS, flaws are vulnerabilities in a website’s code where malicious actors can execute, or trick visitors or administrators to execute, malicious code in a visitor’s browser. There are two types of XSS attacks, stored and reflected, the former saved to the victim site and run whenever a page is loaded, the latter run when a malicious link is clicked and a vulnerable page is loaded along with malicious JavaScript. With details still to be announced, we can speculate that the flaw is reflected as an exploit is carried out via a GET request.

The best protection against this and like vulnerabilities is to maintain regular and reliable backups, and keep the WordPress core and all plugins and themes up to date. We expect WordPress to release an update to WP 4.5 (nicknamed “Coleman Hawkins”) shortly before the announcement.

If WordPress site owners cannot update to WordPress version 4.5.1 quickly, we highly recommend they implement a web application firewall which will block such attacks even if the vulnerability exists on the underlying WordPress site. In addition, we recommend a malware scanner for WordPress and other site owners to detect, and in SiteLock’s case, automatically clean malware if an unknown vulnerability is exploited and infects a site.