The WordPress content management system used by millions of websites is vulnerable to two newly discovered threats that allow attackers to take full control of the Web server. The attack code targets one of the latest versions of WordPress, making it a zero-day exploit that could set off a series of site hijackings throughout the Internet.
Both vulnerabilities are known as stored, or persistent, cross-site scripting (XSS) bugs. They allow an attacker to inject code into the HTML content received by the administrators who maintain the website. Both attacks embed malicious code into the comments section that appears at the bottom of a WordPress blog or article post. The attackers can then change passwords, add new administrators, or take just about any other action legitimate administrators can perform.
Code is first injected into the comments section of the site, and then a massive amount of text is added: more than 64 kilobytes worth. By default, WordPress doesn’t publish a commenting user’s first post until it has been approved. Therefore, an attacker can post a benign first comment, and this enables further malicious comments from that user to automatically be approved.
On Monday, April 27, WordPress issued a critical security update, WordPress 4.2.1, addressing the flaw.
IPS Zero-Day Protection Released
Check Point protects its customers from the WordPress Cross Site Scripting vulnerability with the newly released zero-day IPS protection published today:
Protection Name: WordPress Overly Long Comment Cross-Site Scripting