The WordPress content management system used by millions of websites is vulnerable to two newly discovered threats that allow attackers to take full control of the Web server. The attack code targets one of the latest versions of WordPress, making it a zero-day exploit that could set off a series of site hijackings throughout the Internet.


Both vulnerabilities are known as stored, or persistent, cross-site scripting (XSS) bugs. They allow an attacker to inject code into the HTML content received by the administrators who maintain the website. Both attacks embed malicious code into the comments section that appears at the bottom of a WordPress blog or article post. The attackers can then change passwords, add new administrators, or take just about any other action legitimate administrators can perform.


Code is first injected into the comments section of the site, and then a massive amount of text is added: more than 64 kilobytes worth. By default, WordPress doesn’t publish a commenting user’s first post until it has been approved. Therefore, an attacker can post a benign first comment, and this enables further malicious comments from that user to automatically be approved.


On Monday, April 27, WordPress issued a critical security update, WordPress 4.2.1, addressing the flaw.


IPS Zero-Day Protection Released


Check Point protects its customers from the WordPress Cross Site Scripting vulnerability with the newly released zero-day IPS protection published today:


Protection Name: WordPress Overly Long Comment Cross-Site Scripting


Advisory: http://www.checkpoint.com/defense/advisories/public/2015/cpai-2015-0506.html










  1. Excellent post..

    Yes It’s cross scripting whenever user integrate a new WordPress Version or update some plugins automatically run that type of scripts…

  2. Obviously a right timed alarming information team, as handling a WordPress website is becoming a tough challenge nowadays due to the increase in threats of hacking. Hackers have been finding new ways every time. Moreover many administrators felt relieved with the release of WordPress 4.2, hence as instructed once the plugin patch is available, the admins will install it right away and can minimize the exploitaion as I read it in a blog in . What will be your view regarding that?

Comments are closed.