A quick search through this website will find plenty of news alerts about security vulnerabilities in WordPress and its 40,000+ third-party plugins.
Don’t get me wrong – I love WordPress. It’s an extraordinarily good content management system for websites, and I use it myself for this site.
But I also understand that if you use WordPress, you really do have to take security seriously.
By the way, when I talk about WordPress security here, I’m referring to self-hosted installations of WordPress where you run the software yourself on a server.
I’m *not* referring to wordpress.com, where security is someone else’s concern (and they do a very good job of it), but which – in typical swings and roundabouts fashion – gives you a lot less opportunity to tinker with how your site works.
And if you find the difference between wordpress.org and wordpress.com confusing, you’re not the only one.
So, here’s the latest reason why you need to treat security as a priority if you run WordPress.
On Sunday, Finnish security researcher Jouko Pynnönen of Klikki Oy went public with details of a zero-day serious cross-site scripting (XSS) vulnerability in WordPress 4.2 and earlier.
A hacker could inject code into the comments form found on millions of blogs worldwide, which – when viewed by the site’s administrators – could allow them to change passwords, add new passwords or take other actions that would normally require website admin rights.
Here is a video (to rather more classy music than the typical zero-day exploit video receives) showing an attack in action:
Here is how Pynnönen described the flaw:
If triggered by a logged-in administrator, under default settings the attacker can leverage the vulnerability to execute arbitrary code on the server via the plugin and theme editors.
Alternatively the attacker could change the administrator’s password, create new administrator accounts, or do whatever else the currently logged-in administrator can do on the target system.
If the comment text is long enough, it will be truncated when inserted in the database. The MySQL TEXT type size limit is 64 kilobytes, so the comment has to be quite long.
The truncation results in malformed HTML generated on the page. The attacker can supply any attributes in the allowed HTML tags, in the same way as with the two recently published stored XSS vulnerabilities affecting the WordPress core.
Fortunately, a few hours ago, WordPress has released a new security update which reportedly fixes the issue – version 4.2.1.
However, security researcher Jouko Pynnönen appears to remain frustrated at the tardiness of WordPress to respond to vulnerabilities he has uncovered:
“WordPress has refused all communication attempts about our ongoing security vulnerability cases since November 2014. We have tried to reach them by email, via the national authority (CERT-FI), and via HackerOne. No answer of any kind has been received since November 20, 2014. According to our knowledge, their security response team have also refused to respond to the Finnish communications regulatory authority who has tried to coordinate resolving the issues we have reported, and to staff of HackerOne, which has tried to clarify the status our open bug tickets.”
Quite why Pynnönen wasn’t getting a response from the developers responsible for securing the WordPress software is something of a mystery – and a concerning one at that.
With such a large part of the internet dependent on WordPress, it’s essential that vulnerabilities are found quickly and squashed promptly.
If you administer your own WordPress website, please be sure to ensure that you are running the latest version of the software and are keeping your plugins patched too.
As I described last week, take steps now to ensure that your WordPress site is hardened against potential attacks and your chances of compromise are minimised.