Site hosted by Angelfire.com: Build your free website today!

 

WordPress Zero-Day Exploit Disclosed, Millions of Sites At Risk

 

 

Most of the time the users has reported about the WordPress vulnerabilities which involves plugins, but this a Finnish security researcher discovered critical zero-day vulnerability in the core engine of the WordPress content management system.

 

 

 

The WordPress CMS make use of the Millions of website is vulnerable to a zero-day flaw that allows hackers to remote code execution on the Web server in order to take full control of it.

 

The vulnerability is found by the Jouko Pynnönen of Finland-based security firm which is a Cross-Site Scripting (XSS) flaw which is buried deep into the Wordpress comments system.

 

 

 

The vulnerability affects the WordPress versions 3.9.3, 4.1.1, 4.1.2, and latest WordPress version 4.2.


 

Pynnönen discloses the details of the zero-day flaw with a video and a proof-of-concept code for an exploit of the bug, before the WordPress team could manage to release a patch.

 

 

 

 

 

Why the researcher made a 0-Day Public?

 

 

 

There is similar to cross-site-scripting (XSS) vulnerability which is patched by the WordPress developers which was nearly 14 months after the bug was reported by the team.

 

 

 

Due to fear of delay in fixing the hole, Pynnönen went out to the public with the details of critical zero-day vulnerability in WordPress 4.2, so that the users of the popular management system gets warned about it beforehand.

 

 

 

Moreover Pynnonen reported the vulnerability to the WordPress team but they refused to communicate.

 

 

 

The exploitation of the 0-Day vulnerability:

 

 

 

Vulnerability allows the hackers to inject malicious JavaScript code into the comments section which appears at the bottom of the Millions of WordPress blogs or article posted worldwide. However this action should be blocked under ordinary circumstances.

 

 

 

 

 

This can allow the hackers to change the passwords, add new administrators, or to take actions that can be performed by the legitimate administrator of the website. This is what is called a cross-site scripting attack.

 

 

 

 

 

Pynnonen - 0-day flaw

 

 

 

 

 

"If triggered by a logged-in administrator, under default settings the attacker can leverage the vulnerability to execute arbitrary code on the server via the plugin and theme editors," Pynnönen wrote in a blog post published Sunday evening.
"Alternatively the attacker could change the administrator's password, create new administrator accounts, or do whatever else the currently logged-in administrator can do on the target system."

 

 

 

How the 0-Day exploit works?

 

 

 

The zero-day exploit provided by the researcher works by posting a simple JavaScript code that comment and then adds as long as 66,000 characters or over 64 KB in size.

 

 

 

When the comment is processed by someone with WordPress admin that is right to the website, which is a malicious code that is executed without giving any indication to the admin.

 

 

 

By default, WordPress automatically publish a user's comment to post until and unless the user is approved by the administrator of the site.

 

 

 

The hackers can bypass the limitation by fooling the administrator with beginning of the comment, which is once approved that enables further malicious comments from the person to be automatically get approved and published to the same post.

 

 

 

 

 

WordPress patches the 0-Day flaw:

 

 

 

 

 

In order to fix the security hole, administrators should upgrade the CMS to Wordpress 4.2.1 which is released.

 

 

 

It is a critical security release for all previous versions and is recommended to update your sites immediately,"

 

 

 

 

 

WordPress version 4.2.1 reportedly fixes the zero-day vulnerability as reported by Pynnonen. So if you own a WordPress website that makes sure that you run an updated version of the CMS with all the plugins up-to-date.