Sergey Nivens - Fotolia
Two new zero-day WordPress XSS vulnerabilities have been found to be targeted by attacks in the wild, but WordPress has worked quickly to issue a patch and fix the issues.
David Dede, a malware researcher with Sucuri Inc., wrote about vulnerabilities in at least two WordPress plug-ins that could lead to XSS exploits. One plug-in the TwentyFifteen theme is installed by default and the other is JetPack, a popular customization and performance plug-in that has more than one million active installs.
Dede said more plug-ins could well have been vulnerable because the root cause was the genericons package, a WordPress add-on that provides icons that are commonly used in WordPress site templates. The font itself wasn't the issue; the problem instead stemed from a file demonstrating potential uses. Any plug-in that included this example.html file could be vulnerable. His post also noted that the Sucuri team detected attacks on this vulnerability in the wild "days before disclosure."
The XSS vulnerability in this package could be leveraged with an exploit at the Document Object Model level, according to Dede, meaning that it could be executed directly in the browser. Dede noted that this type of attack is usually more difficult to exploit and harder to block, but the fix in this case was relatively straightforward.
Additionally, the WordPress 4.2.2 update has been released to fix this issue as well as a separate XSS vulnerability that had affected versions 4.2 and lower. The update will scan a site's directory and remove the vulnerable HTML file.
The WordPress blog post also said all affected themes and plug-ins hosted at WordPress.org have been updated to remove the vulnerable file.
Robert Graham, CEO of Atlanta-based Errata Security, said that the specific files that were vulnerable and attack vector aren't very important, because the WordPress ecosystem is inherently insecure.
"WordPress is a horribly complex system that is full of holes," said Graham. "If you see a WordPress site, you know it's probably able to be hacked. It's an inherent danger, and you have to keep up with patches aggressively. I don't know that the patching process is something that most places have the resources to do."
Ultimately, Graham suggested enterprises may be better served using WordPress.com, for the automatic updates, or another blogging platform entirely because of the constant security flaws in WordPress.