Hackers target critical XSS vulnerability in millions of Wordpress sites

One researcher says the critical flaw is caused by a simple example.html file enclosed by default in plugin packages.
Written by Charlie Osborne, Contributing Writer

Millions of Wordpress websites are at risk due to a vulnerability present in the default installation of the content management system.

Security researcher David Dede warned on Wednesday the vulnerability, a critical cross-site scripting (XSS) flaw, is found in the Twenty Fifteen theme and plugin -- which is installed in new Wordpress sites by default. As Dede notes, it is difficult to estimate how many websites are vulnerable, but millions of websites which leave the theme intact are likely to be at risk -- and the vulnerability is currently being exploited in the wild.

In addition, the JetPack plugin, offered by Wordpress, is also vulnerable to the DOM-based XSS flaw. This plugin, which offers customization tools, traffic analysis, mobile compatibility and new widgets is actively being used on over one million websites.

The problem lies in plugins and themes which leverage the genericons package. An insecure file loaded with the package, dubbed example.html, is vulnerable to a Document Object Model (DOM)-based XSS vulnerability. Attackers modify the DOM environment in the victim's browser used by the original client-side script, causing code to run in an unexpected manner. Client-side code contained in the page then executes with the malicious changes, but the XSS payload is never sent server-side -- instead, executes directly in the browser.

Once exploited, the XSS flaw could be used to execute Javascript within a browser and hijack a Wordpress website if the owner is logged in as an administrator.

Dede says the XSS vulnerability is "very simple to exploit." However, the fix is also simple -- simply removing the genericons/example.html file resolves the issue. Wordpress website owners are recommended to do so immediately.

"Because of the low severity but mass impact we reached out to our network of hosting relationships in an effort to virtually patch this for millions of WordPress users as quickly as possible," Dede says.

As of a week ago, following disclosure by the security researchers, the following hosts have virtually patched the problem:

  • GoDaddy
  • HostPapa
  • DreamHost
  • ClickHost
  • Inmotion
  • WPEngine
  • Pagely
  • Pressable
  • Websynthesis
  • Site5
  • SiteGround

Dede noted:

"We cannot forget one of the basic principles of security, in which we must maintain a pristine environment in production. This means we remove debug or test files before you move into production. In this case, Automattic and the WordPress team left a simple example.html file that had the vulnerability embedded. What's more concerning here is the reach the plugin and theme have combined; they are installed in many cases, by default in all WordPress installations.

Simple oversight, that could have devastating impacts on unsuspecting website owners and businesses alike."

Read on: In the world of security

Read on: Fixes and Flaws

Editorial standards