Critical WordPress 0day Exploit in the Wild

The third security advisory for WordPress this month, but much more severe, hit the internet with the release of a 0day exploit carrying the potential for complete website compromise. The exploit proof of concept was publicly disclosed late Sunday evening which resulted in a flare of attacks across the web throughout Monday (and still ongoing). The exploit affected all current versions of WordPress until a critical security release was published yesterday afternoon. Before going into the details, if you run WordPress on your website you should immediately update to version 4.2.1 released yesterday to prevent the vulnerability moving forward.

The vulnerability exploits a cross-site scripting (XSS) flaw which, unlike a similar issue that was patched just weeks ago, affects the core WordPress system. It allows an attacker to inject malicious code into the comments section that can allow attackers to quite literally become an Administrator, which can then include anything from changing passwords and locking out admins to inserting malware and just about anything else.

The way it works is an attacker inserts malicious JavaScript into a comment, then when that comment is processed or viewed by someone with Admin rights to the website, the code gets executed without giving any indication that anything abnormal even happened. By default, WordPress is configured to not publish user comments until they are first approved, however that can be easily bypassed by first making a legitimate looking comment which once approved they are able to comment openly so they can then submit the malicious code.

How to prevent?
Version 4.2.1 released Monday afternoon fixes the vulnerability and should be updated to immediately to prevent any future attacks. Because patching WordPress only prevents future attacks, we encourage all affected users to also check the current admin or privileged users to verify there are not any new admins that there shouldn't be, as well as audit any logs to make sure nothing out of the ordinary took place in the past 24-36 hours since public disclosure. High Traffic and eCommerce WP Systems should be especially weary, as with sites which allow open commenting without approval.

You can view the WordPress announcement which includes links to download the latest version at https://wordpress.org/news/2015/04/wordpress-4-2-1/ or you can simply update your WordPress System from the Admin backend.


Tuesday, April 28, 2015







« Back