​WordPress urges users to update after comments exploit released

Users of the popular publishing platform are encouraged to patch their systems after researcher discovered flaw that could allow an attacker to take over WordPress servers.

WordPress is urging users to update their software after the company fixed a critical cross-site scripting flaw in its popular publishing platform.

WordPress yesterday released version 4.2.1 of its software to address a critical stored cross-site scripting vulnerability discovered by Jouko Pynnönen, a researcher at Finnish security firm Klikki.

"This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately," Wordpress said.

Read this

Understanding the different WordPress variants

We've gotten a number of reader questions about WordPress, and in particular, about the very different variations that are available to bloggers and developers. In this article, we help clear up the confusion.

Read More

The update follows Klikki's disclosure of the bug and a proof of concept exploit for the flaw which affected WordPress 4.2 and below. According to Klikki, it published the details before a patch was released in the hope that it would force WordPress to fix the bug, claiming that its attempts to discuss the issue with the company had been ignored. Klikki said it first contacted the company to discuss the flaw in November last year, while WordPress said it was first notified on Monday.

Klikki warned the flaw can be exploited through the comments section of WordPress sites, and advised users to disable and avoid approving any comments on sites running vulnerable versions. The flaw could be triggered by injecting into the comment field malicious JavaScript that is greater than 64kb long, which offers the attacker a backdoor that can then be used to take control of the targeted server.

"If the comment text is long enough, it will be truncated when inserted in the database. The MySQL TEXT type size limit is 64 kilobytes, so the comment has to be quite long," said Klikko.

"The truncation results in malformed HTML generated on the page. The attacker can supply any attributes in the allowed HTML tags, in the same way as with the two recently published stored XSS vulnerabilities affecting the WordPress core."

The security update comes just one week after WordPress released version 4.2 'Powell' which, along with many new features, carried a security update that fixed a similar flaw reported separately by security researcher Cedric Van Bockhaven.

It's been a busy month for WordPress security. Following an FBI alert that ISIS sympathisers were targeting vulnerable WordPress plugins, security firm Sucuri last week revealed that dozens of WordPress plugins were vulnerable to a common cross-site scripting bug that was due to a single ambiguity in WordPress' official documentation.

Read more on Wordpress security