WordPress suffers a serious XSS leak for the second week in a row

Spread the love

Like last week, WordPress is facing a serious cross-site scripting vulnerability that could allow an attacker to take control of a WordPress installation. Exploit code has emerged that can be exploited. WordPress has hastily released a security update.

In fact, there are two security vulnerabilities, but only one of the two affects WordPress 4.2, the latest version of the popular cms tool; the other only works on older versions. The bugs are in the WordPress comment section; an attacker can leave their own html code in a comment, which will be loaded when other users visit the page. A Finnish security researcher discovered this.

That way, for example, an attacker can inject code that steals cookies from users. Code can also be added that, when the response is viewed by a user who is the administrator of the WordPres installation, changes the administrator’s password, for example. An attacker could then take over the WordPress installation.

The Finnish security researcher who discovered the problem has published a proof of concept, which could be exploited by malicious parties. He also says there are indications that the bug is already being abused. WordPress has therefore hastily released a security update on Monday.

Last week, WordPress already released an update to patch another xss vulnerability. WordPress 4.2 also fixed three minor security vulnerabilities.

You might also like