WordPress Zero-Day Exploit Disclosed, Millions of Sites At Risk
Most of the time, we have reported about WordPress vulnerabilities involving vulnerable plugins, but this time a Finnish security researcher has discovered a critical zero-day vulnerability in the core engine of the WordPress content management system.

Yes, you heard it right. The WordPress CMS used by Millions of website is vulnerable to a zero-day flaw that could allow hackers to remote code execution on the Web server in order to take full control of it.

The vulnerability, found by Jouko Pynnönen of Finland-based security firm Klikki Oy, is a Cross-Site Scripting (XSS) flaw buried deep into the WordPress' comments system.

The vulnerability affects the WordPress versions 3.9.3, 4.1.1, 4.1.2, and the latest WordPress version 4.2.

Pynnönen disclosed the details of the zero-day flaw, along with a video and a proof-of-concept code for an exploit of the bug, on his blog post on Sunday before the WordPress team could manage to release a patch.

Why the researcher made the 0-Day Public?

A similar cross-site-scripting (XSS) vulnerability was patched this week by WordPress developers, which was nearly 14 months after the bug was reported to the team.

Due to fear of delay in fixing this hole, Pynnönen went public with the details of critical zero-day vulnerability in WordPress 4.2 and below, so that the users of the popular content management system could be warned beforehand.

Moreover, Pynnonen reported the vulnerability to the WordPress team but they "refused all communication attempts" he made since November 2014.

The exploitation of the 0-Day vulnerability:

The vulnerability allows a hacker to inject malicious JavaScript code into the comments section that appears at the bottom of Millions of WordPress blogs or article posts worldwide. However, this action should be blocked under ordinary circumstances.

This could allow hackers to change passwords, add new administrators, or take other actions that could only be performed by the legitimate administrator of the website. This is what we call a cross-site scripting attack.

Video Demonstration of the attack:

You can watch the video demonstration below which shows an attack in action:

Pynnonen described the 0-day flaw as below:
"If triggered by a logged-in administrator, under default settings the attacker can leverage the vulnerability to execute arbitrary code on the server via the plugin and theme editors," Pynnönen wrote in a blog post published Sunday evening.
"Alternatively the attacker could change the administrator's password, create new administrator accounts, or do whatever else the currently logged-in administrator can do on the target system."
How the 0-Day exploit works?

The zero-day exploit provided by the researcher works by posting a simple JavaScript code as a comment and then adding as long as 66,000 characters or over 64 KB in size.

When the comment is processed by someone with WordPress admin rights to the website, the malicious code will be executed without giving any indication to the admin.

By default, WordPress does not automatically publish a user's comment to a post until and unless the user has been approved by the administrator of the site.

Hackers can bypass this limitation by fooling the administrator with their benign first comment, which once approved would enable any further malicious comments from that person to be automatically approved and published to the same post.

WordPress patches the 0-Day flaw:

In order to fix the security hole, administrators should upgrade their CMS to Wordpress 4.2.1, which was released few hours ago.

"This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately," the WordPress team said of the latest version.

WordPress version 4.2.1 reportedly fixes the zero-day vulnerability reported by Pynnonen. So if you own a WordPress website, make sure that you run an updated version of the CMS with all the plugins up-to-date.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.