pixel_dreams - Fotolia
A researcher has revealed a proof-of-concept exploit for a WordPress vulnerability, which leverages a stored cross-site scripting (XSS) attack and could lead to remote code execution on affected servers.
According to Pynnönen, the flaw lies in how WordPress truncates very long comments, allowing an attacker to supply attributes in the HTML tags created in the truncation process. When a victim views the comment, the script quietly creates a PHP backdoor in a certain file on the server, which the attacker can later access.
If a victim viewing the comment is logged in with administrator access, the attacker would be able to exploit the vulnerability to execute remote code on the affected server.
Pynnönen said this bug is similar to a vulnerability WordPress recently patched, which had been reported by Cedric Van Bockhaven, cyber risk services consultant at consulting firm Deloitte Nederland, in early 2014. Pynnönen told SearchSecurity the bug he has detailed only took a moment to find and confirm, so he wouldn't be surprised if it is already being actively exploited.
Tod Beardsley, engineering manager at Boston-based vendor Rapid7 LLC, noted that unlike most WordPress bugs, the vulnerabilities detailed by Klikki Oy and Van Bockhaven have a potentially much wider impact because they target the core WordPress CMS engine.
"Since these vulnerabilities affect default installations of WordPress, they naturally have a much wider reach, both on the public Internet and in internal, intranet installations," Beardsley said. "In addition, the latest vulnerability remains unpatched by the vendor, so WordPress administrators should be spending their Monday morning evaluating if a plugin to mitigate the exposure is right for their site, or if comments should be disabled altogether until a patch is available."
The easiest way to mitigate the risk of this vulnerability, according to Pynnönen, is to disable comments and not approve any new comments.
A post in WordPress community ManageWP suggested the same mitigation method, and confirmed that a patch is currently in the works for this vulnerability. SearchSecurity reached out for comment to Automattic, the company behind the open source WordPress software, but had not received a response at publication.
Pynnönen said that Klikki Oy had spent five months attempting to contact WordPress about this bug, with several emails since November 2014, but no response has been received. Klikki Oy went on to enlist the help of CERT-FI, the national infosec authority in Finland, but WordPress did not respond to inquiries from CERT-FI either. More recently, Pynnönen said he opened bug tickets with Automattic, the San Francisco-based corporation behind WordPress, but has not been able to receive clarification.
Because of these problems, Pynnönen said he deemed the best alternative to be publishing the bug directly, along with mitigation advice. He hopes that this will spur WordPress to resolve the issue in a matter of days, rather than the 14 months it took to patch the similar vulnerability found by Van Bockhaven.
Content management systems now offer content marketing tools.