Wordpress Logo

UPDATE: WordPress has just released WordPress 4.2.1
They say they just learned about the vulnerability a few hours ago.

Jouko Pynnönen sent an email to the fulldisclosure list about a WordPress XSS 0-Day.

Pynnönen writes :

Current versions of WordPress are vulnerable to a stored XSS. An
unauthenticated attacker can inject JavaScript in WordPress comments. The
script is triggered when the comment is viewed.

If triggered by a logged-in administrator, under default settings the
attacker can leverage the vulnerability to execute arbitrary code on the
server via the plugin and theme editors.

Alternatively the attacker could change the administrator’s password,
create new administrator accounts, or do whatever else the currently
logged-in administrator can do on the target system.

The workaround is to :

Disable comments [..] Do not approve any comments.

According to the security researcher :

WordPress has refused all communication attempts about
security issues from us since November 2014.

We have tried to reach them by email, via the national
authority (CERT-FI), and via HackerOne. 

No answer of any kind has been received since November 20.

As far as we know, they have also refused to answer the
Finnish communications regulatory authority who has tried
to coordinate resolving the issues we have reported, and
HackerOne staff who have tried to clarify the status.

NO COMMENTS

LEAVE A REPLY