Recently it was discovered that WordPress has had several new vulnerabilities that potentially affect 1,000 of themes and plugins, and we are urging all customers to get their websites updated / protected IMMEDIATELY to protect themselves from attacks. One of the specific vulnerabilities is due to a very common practice in writing the code for themes/plugins. This does not mean that your website or plugins were poorly made, it just means hackers are that good and found the exploit, so you need to be prepared!
Below are some in brief details about these vulnerabilities:
1. XSS Vulnerability Affecting Multiple WordPress Plugins
Multiple WordPress Plugins are vulnerable to Cross-site Scripting (XSS) due to the misuse of theadd_query_arg() and remove_query_arg() functions. These are popular functions used by developers to modify and add query strings to URLs within WordPress.
The official WordPress Official Documentation (Codex) for these functions was not very clear and misled many plugin developers to use them in an insecure way. The developers assumed that these functions would escape the user input for them, when it does not. This simple detail, caused many of the most popular plugins to be vulnerable to XSS.
To date, this is the list of SOME OF THE MOST POPULAR affected plugins:
- Jetpack
- WordPress SEO
- Google Analytics by Yoast
- All In one SEO
- Gravity Forms
- Multiple Plugins from Easy Digital Downloads
- UpdraftPlus
- WP-E-Commerce
- WPTouch
- Download Monitor
- Related Posts for WordPress
- My Calendar
- P3 Profiler
- Give
- Multiple iThemes products including Builder and Exchange
- Broken-Link-Checker
- Ninja Forms
Original Article Source: Sucuri.net
2. Critical Persistent XSS 0day in WordPress
Who’s Affected?
If your WordPress site allows users to post comments via the WordPress commenting system, you’re at risk. An attacker could leverage a bug in the way comments are stored in the site’s database to insert malicious scripts on your site, thus potentially allowing them to infect your visitors with malware, inject SEO spam or even insert backdoor in the website’s code if the code runs when in a logged-in administrator browser.
You should definitely disable comments on your site until a patch is made available or leverage a WAF to protect your site and customers.
Technical Details
This vulnerability requires an attacker to send a comment long enough to force the backend MySQL database to truncate what is stored.
Original Article Source: Sucuri.net
3. JetPack and TwentyFifteen Vulnerable to DOM-based XSS
Any WordPress Plugin or theme that leverages the genericons package is vulnerable to a DOM-based Cross-Site Scripting (XSS) vulnerability due to an insecure file included with genericons. So far, the JetPack plugin (reported to have over 1 million active installs) and the TwentyFifteen theme (installed by default) are found to be vulnerable. The exact count is difficult to grasp, but both the plugin and theme are default installs in millions of WordPress installs. The main issue here is the genericons package, so any plugin that makes use of this package is potentially vulnerable if it includes the example.html file that comes with the package.
DOM-based XSS
The XSS vulnerability is very simple to exploit and happens at the Document Object Model (DOM) level. If you are not familiar with DOM attacks, the OWASP group explain it well:
DOM-Based XSS is an XSS attack wherein the attack payload is executed as a result of modifying the Document Object Model (DOM) “environment” in the victim’s browser used by the original client side script, so that the client side code runs in an “unexpected” manner. That is, the page itself (the HTTP response that is) does not change, but the client side code contained in the page executes differently due to the malicious modifications that have occurred in the DOM environment.
That means the XSS payload is never sent to the server side and is executed directly at the browser. So even someone using our WAF, can be vulnerable since it never gets a chance to see it. In this case, we were able to virtually patch the exploit, but DOM-based XSS are very tricky to block.
DOM-based XSS are also a bit harder to exploit, since it requires some level of social engineering to get someone to click on the exploit link. However, once they manage to do that, it provides the same level of access as other types of XSS attacks (reflected or stored).
Original Article Source: Sucuri.net