New WordPress Flaw Lets Unauthenticated Remote Attackers Hack Sites


If for some reason your WordPress-based website has not yet been automatically updated to the latest version 5.1.1, it’s highly recommended to immediately upgrade it before hackers could take advantage of a newly disclosed vulnerability to hack your website.

Simon Scannell, a researcher at RIPS Technologies GmbH, who previously reported multiple critical vulnerabilities in WordPress, has once again discovered a new flaw in the content management software (CMS) that could potentially lead to remote code execution attacks.

The flaw stems from a cross-site request forgery (CSRF) issue in the WordPress’ comment section, one of its core components that comes enabled by default and affects all WordPress installations prior to version 5.1.1.

Unlike most of the previous attacks documented against WordPress, this new exploit allows even an “unauthenticated, remote attacker” to compromise and gain remote code execution on the vulnerable WordPress websites.

“Considering that comments are a core feature of blogs and are enabled by default, the vulnerability affected millions of sites,” Scannell says.

The exploit demonstrated by Scannell relies on multiple issues, including:

  • WordPress doesn’t use CSRF validation when a user posts a new comment, allowing attackers to post comments on behalf of an administrator.
  • Comments posted by an administrator account are not sanitization and can include arbitrary HTML tags, even SCRIPT tags.
  • WordPress frontend is not protected by the X-Frame-Options header, allowing attackers to open targeted WordPress site in a hidden iFrame from an attacker-controlled website.

By combining all these issues, an attacker can silently inject a stored XSS payload into the target website just by tricking a logged on administrator into visiting a malicious website containing the exploit code.

According to the researcher, the attacker can then even take complete control over the target WordPress websites remotely by injecting an XSS payload that can modify the WordPress template directly to include a malicious PHP backdoor—all in a single step without the administrator noticing.

After Scannell reported this vulnerability back in October last year, the WordPress team tries to mitigate the issue by introducing an additional nonce for administrators in the comment form, instead of simply enabling CSRF protection.

However, Scannell was also able to bypass that, after which the CMS team finally released WordPress 5.1.1 with a stable patch on Wednesday.

Since WordPress automatically installs security updates by default, you should already be running the latest version of the content management software.

However, if the automatic updating of your CMS has been turned off, you are advised to temporarily disable comments and log out of your administrator session until the security patch is installed.


Laisser un commentaire

Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *

Next Post

Facebook victime d’un changement de configuration serveur

Technologie : Les 14 heures de panne essuyées par Facebook – qui a aussi affecté Instragram et WhatsApp – sont la conséquence d’une modification de la configuration serveur. Mercredi, heure française, de nombreux utilisateurs des services Facebook se plaignaient de l’indisponibilité des applications. La plateforme, qui avait rapidement exclu une attaque […]