Recently, a security researcher released a zero-day stored XSS vulnerability in WordPress, meaning it was previously undisclosed and, at the time, unpatched. The vulnerability affected the latest versions of WordPress at release, including 4.2.
The xss vulnerability involves how WordPress stores comments in its MySQL database. Comments are stored as text and the size of that text is limited to 64 kilobytes, or 64,000 characters. Given a previously approved comment, an attacker could create a malformed comment using approved HTML tags and tack on 64 kb of any character (perl -e ‘print “a” x 64000’). The 64 kb of junk is truncated and what’s left is a malicious comment in the database which will run whenever it’s viewed. And what can run is up to the attacker – creating backdoors, stealing credentials, malicious redirects and more.
WordPress versions 3.9.3, 4.1.1, 4.1.2, and 4.2 are confirmed to be vulnerable. WordPress 4.2.1 was released yesterday to address the newly-discovered XSS vulnerability.
Users are urged to backup their database and site files and upgrade to the latest version of WordPress as soon as possible.
If an upgrade is not feasible, disable comments and do not approve any comments until the update is applied.
The SiteLock TrueShield WAF protects against cross site scripting attacks, like the WordPress stored XSS vulnerability, regardless of platform patch level. All traffic to the site is analyzed and requests which contain malicious code are dropped, never reaching your site.
This type of malware scanner crawls your WordPress site looking for malicious links and code. Any malicious code stored in the database and rendered on the page as comments or site content is flagged as malicious, and the site owner is immediately alerted.
For SiteLock customers, Expert Services are available to step in and quickly remove the malicious code.
As always, stay up to date on the latest WordPress patches, and stay locked in to the SiteLock blog for the latest security news. To learn more about website vulnerabilities, read the related blog post on the WordPress Genericons XSS Vulnerability.