WordPress Stored XSS vulnerability

31813257-bd05-49c5-b502-4ad222f8abbb

WordPress Critical Stored Cross-Site Scripting (XSS) Vulnerability

The new version of WordPress (WordPress 4.2) that was released just few days ago has already been scrutinized by white-hat hackers, just two days after it’s release, a critical security vulnerability was detected in the new version (which apply to older version as well): any website or blog, running WordPress 4.2 is susceptible to persistent cross site scripting attacks.

Breaking in down, it means that a crafted payload exploiting this vulnerability (i.e. entering a very long comment + JavaScript payload)  can result in the execution of arbitrary JavaScript code on the user’s browser. If the user viewing the comments has also admin privileges on the website, this scenario can result in complete website compromise.

Detailed analysis and recommendations:
The vulnerability is very similar to a one discovered more than a year ago (and patched around 10 days ago), and lies within the WordPress comments mechanism in which comments entered by the user are stored in a MySQL database.

As was discovered, triggering the MySQL truncation functionally on the entered comment  will result in a malformed HTML code when presented back to the user. While in the 4.2 version WordPress addressed one attack vector that triggers the truncation function (entering special characters, it was discovered that another vector – entering very long comments, which will also trigger the truncation – was not addressed, and is still available.  

We strongly recommend to update any website running under WordPress CMS to the newest WordPress version and install the latest patch.

Analysis and Demo:
http://klikki.fi/adv/wordpress2.html

Recommendations:
Wordpress has released a patch to solve the issue:
https://wordpress.org/news/2015/04/wordpress-4-2-1/
We highly recommend installing this patch.