Problem Summary
According to a report from Threatpost.com, versions of WordPress prior to 4.0.1 are vulnerable to a malicious JavaScript attack through the comments feature. This vulnerability is reported as being relevant for WordPress sites that are ‘self hosted’ — such as sites hosted with Network Solutions, GoDaddy, BlueHost, LunarPages, iPower, and other similar hosting companies. If your WordPress site is hosted at WordPress.com this security vulnerability doesn’t apply to you.
Problem Solution
Follow these instructions to update and secure your site.
- Backup your WordPress site by going to Dashboard > Tools > Export. This step is optional, but a good idea in case something goes wrong with the update.
- From your WordPress Dashboard, go to the Updates tab. Click the link to update to 4.0.1 and follow the instructions.
Problem Details
The following excerpt from Threatpost.com describes the nature of this exploit.
WordPress’s latest update, 4.0.1, patches a critical cross-site scripting vulnerability affecting comment boxes on websites running the content management system software.
An attacker would need only to inject malicious JavaScript into a comment that would infect a reader viewing it on the webpage or an admin in the management dashboard.
Jouko Pynnonen, a security researcher from Finland, yesterday posted some details on the Full Disclosure security mailing list, the same day WordPress released its update.
“In the most obvious scenario the attacker leaves a comment containing the JavaScript and some links in order to put the comment in the moderation queue. The exploit is not then visible to normal users, search engines, etc.,” Pynnonen said. “When a blog administrator goes to the Dashboard/Comments section to review new comments, the JavaScript gets executed. The script can then perform operations with administrator privileges.” [More…]