Critical XSS flaws patched in WordPress and popular plug-in

The vulnerabilities could allow attackers to create administrator accounts and take control of websites

New security updates released for the WordPress content management system and one of its popular plug-ins fix cross-site scripting (XSS) vulnerabilities that could allow attackers to take control of websites.

The WordPress development team released Thursday WordPress 4.0.1, 3.9.3, 3.8.5 and 3.7.5 as critical security updates.

The 3.9.3, 3.8.5 and 3.7.5 updates address an XSS vulnerability in the comment boxes of WordPress posts and pages. An attacker could exploit this flaw to create comments with malicious JavaScript code embedded in them that would get executed by the browsers of users seeing those comments.

"In the most obvious scenario the attacker leaves a comment containing the JavaScript and some links in order to put the comment in the moderation queue," said Jouko Pynnonen, the security researcher who found the flaw, in an advisory. "When a blog administrator goes to the Dashboard/Comments section to review new comments, the JavaScript gets executed. The script can then perform operations with administrator privileges."

Such a rogue operation can be the creation of a second WordPress administrator account with an attacker-specified password. What makes things worse is that the flaw can typically be exploited without authentication, because the action of posting a comment on a WordPress blog does not require an account by default.

The comment XSS vulnerability only affects WordPress 3.9.2 and earlier versions, not WordPress 4.0. However, the 4.0.1 update, as well as the 3.x ones, also address three other XSS flaws that can be used to compromise WordPress sites if the attacker has access to a contributor or author account on them.

The new releases also fix a cross-site request forgery flaw that could be used to trick a user into changing their password, as well as a denial-of-service issue.

Separately, the developers of WP-Statistics, a WordPress plug-in that gathers and displays visitor statistics, issued an update to fix a high-risk XSS flaw that's similar to the ones fixed in the content management system itself.

"The plugin fails to properly sanitize some of the data it gathers for statistical purposes, which are controlled by the website's visitors," said Marc-Alexandre Montpas, a researcher at Web security firm Sucuri, in a blog post. "If an attacker decided to put malicious Javascript code in the affected parameter, it would be saved in the database and printed as-is in the administrative panel, forcing the victim's browser to perform background tasks on its behalf."

The Sucuri researchers were able to leverage the flaw to create a new admin account on a test site.

Users of WP-Statistics are advised to update to version 8.3.1 of the plug-in as soon as possible in order to protect their sites. WP-Statistics has been downloaded over 830,000 times from the official WordPress plug-in repository.

WordPress sites are frequently targeted by cybercriminals who rely on compromised legitimate sites for many of their malicious activities, from hosting spam and malware to launching drive-by download attacks against Web users.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags patch managementonline safetyWordpresspatchesSucuri

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Bitdefender 2019

This Holiday Season, protect yourself and your loved ones with the best. Buy now for Holiday Savings!

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?