WordPress Vulnerability Affects Millions of Websites; Fix Issued

WordPress Vulnerability Affects Millions of Websites; Fix Issued
Advertisement
Security researchers have discovered vulnerabilities in the default installation of WordPress, leaving sites that use content management system open to attack - specifically a critical cross-site scripting vulnerability that allows anonymous users to compromise the site.

David Dede from Sucuri security research company has claimed that any WordPress theme or plugin that runs a genericons package is at risk. Dede adds that the one of the default themes for WordPress, TwentyFifteen, as well as the JetPack plugin, use the genericons icon fonts package.

The vulnerability can allow attackers to hack into any WordPress website using the default theme and plugin if the administrator accidentally clicks on a malicious link. The genericons package comes with an insecure file that makes the site open to cross-site scripting vulnerability.

The firm on Thursday released version 4.2.2 update which is basically a security and maintenance release targeted to fix the vulnerability. The latest release addresses two security issues including updated genericons used in default themes and plugins that scan the WordPress content directory for the affected (and "nonessential") example.html file and removes it.

Dede of Sucuri tried to demystify the vulnerability and explains, "The XSS vulnerability is very simple to exploit and happens at the Document Object Model (DOM) level. DOM-Based XSS is an XSS attack wherein the attack payload is executed as a result of modifying the Document Object Model (DOM) "environment" in the victim's browser used by the original client side script, so that the client side code runs in an "unexpected" manner. That is, the page itself (the HTTP response that is) does not change, but the client side code contained in the page executes differently due to the malicious modifications that have occurred in the DOM environment."

The security firm has also listed few hosts that have also patched the issue recently including GoDaddy, HostPapa, DreamHost, ClickHost, Site5, and SiteGround among others.

Comments

For the latest tech news and reviews, follow Gadgets 360 on X, Facebook, WhatsApp, Threads and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel. If you want to know everything about top influencers, follow our in-house Who'sThat360 on Instagram and YouTube.

Further reading: Internet, Vulnerability, WordPress
Ketan Pratap
Ketan Pratap is the editor at Gadgets 360 - with over 12 years of experience covering the technology domain. With a breadth and depth of knowledge in the field, he's done extensive work across news, features, reviews, and opinion pieces. But what's truly inspiring about Ketan is how he spends his free time. He's often found gazing at snow-capped mountains from over 20,000 feet while sitting on the hood of his car, taking in the breathtaking beauty of nature. His passion for the great ...More
Nokia Inks IT Infrastructure Deal With HP, Microsoft, Telefonica
DoT's New Norm Gave Undue Advantage of Rs. 3,367 crores to Reliance Jio: CAG
Facebook Gadgets360 Twitter Share Tweet Snapchat LinkedIn Reddit Comment google-newsGoogle News

Advertisement

Follow Us
© Copyright Red Pixels Ventures Limited 2024. All rights reserved.
Trending Products »
Latest Tech News »