If for some reason your WordPress-based website has not yet been automatically updated to the latest version 5.1.1, it’s highly recommended to immediately upgrade it before hackers could take advantage of a newly disclosed vulnerability to hack your website.
Simon Scannell, a researcher at RIPS Technologies GmbH, who previously reported multiple critical vulnerabilities in WordPress, has once again discovered a new flaw in the content management software (CMS) that could potentially lead to remote code execution attacks.
The flaw stems from a cross-site request forgery (CSRF) issue in the WordPress’ comment section, one of its core components that comes enabled by default and affects all WordPress installations prior to version 5.1.1.
Unlike most of the previous attacks documented against WordPress, this new exploit allows even an “unauthenticated, remote attacker” to compromise and gain remote code execution on the vulnerable WordPress websites.
“Considering that comments are a core feature of blogs and are enabled by default, the vulnerability affected millions of sites,” Scannell says.
The exploit demonstrated by Scannell relies on multiple issues, including:
- WordPress doesn’t use CSRF validation when a user posts a new comment, allowing attackers to post comments on behalf of an administrator.
- Comments posted by an administrator account are not sanitisation and can include arbitrary HTML tags, even SCRIPT tags.
- WordPress frontend is not protected by the X-Frame-Options header, allowing attackers to open targeted WordPress site in a hidden iFrame from an attacker-controlled website.
By combining all these issues, an attacker can silently inject a stored XSS payload into the target website just by tricking a logged on administrator into visiting a malicious website containing the exploit code.
images from Hacker News
Recent Comments