The cross-site scripting (XSS) vulnerability, uncovered by the security researcher reported by Robert Abela of Security firm Netsparker.
Wordpress vulnerability resides in Genericons webfont package that is part of default WordPress Twenty Fifteen Theme.
Here comes the threat:
The XSS vulnerability has been identified as a "DOM-based," which means the flaw resides in the document object model (DOM) that is responsible for text, images, headers, and links representation in a web browser.
The easy-to-exploit DOM-based Cross-Site Scripting (XSS) vulnerability occurred due to an insecure file included with Genericons that allowed the Document Object Model Environment in the victim's browser to be modified.
What's DOM-Based XSS attack?
In DOM-Based Cross-Site Scripting attack, the payload executes in the DOM (Document Object Model) instead of part of the HTML in the victim's browser,
This means the page itself does not change, but the client side code contained in the page executes in a different manner due to the malicious modifications in the DOM environment.
DOM-based Cross-Site Scripting vulnerabilities are much harder to detect than classic XSS flaws because they reside in the script code from the website.
DOM-based XSS vulnerability allows hackers to steal or hijack your session, carry out very advanced phishing attacks.
The vulnerability is actively being exploited in the wild and so far, the researcher has discovered JetPack plugin and Twenty Fifteen theme to be vulnerable to a DOM-based XSS attack. Apparently, any WordPress plugin that comes with the Genericons package is potentially vulnerable to the attack.
JetPack is a popular WordPress plugin with more than 1 Million download. The plugin is bundled with many useful features including customization, traffic, mobile, content, and performance tools, which makes managing a WordPress site a whole lot easier.
How to hijack a WordPress website?
Generally, a DOM-based XSS attack requires an administrator to click on a malicious link while logging into a vulnerable WordPress installation and once clicked, the hackers can gain full control of the vulnerable website.
Security Firm Sucuri's researcher David Dede explains:
"What is interesting about this attack is that we detected it in the wild days before disclosure. We got a report about it and some of our clients were also getting reports saying they were vulnerable and pointing to:
https:// site.com/wp-content/themes/twentyfifteen/genericons/example.html#1<img/ src=1 onerror= alert(1)>
In this proof of concept, the XSS printed a javascript alert, but could be used to execute javascript in your browser and take over the site if you are logged in as admin."
It is not clear exactly how many websites are vulnerable to the attack, but JetPack plugin comes installed by default in millions of WordPress templates, making the count even larger.
Measure to protect your WordPress website:
Administrators of WordPress sites should check if their site is running the Genericons package.
In case it is running, they should either immediately delete the example.html file that is included with the package, or at least, make sure that their web application firewall or intrusion detection system is blocking access to it.
Sucuri has contacted and informed almost a dozen Web hosts who have already virtually patched the vulnerability on their websites they host.
The hosts include GoDaddy, ClickHost, Inmotion, HostPapa, DreamHost, WPEngine, Pagely, Pressable, SiteGround, Websynthesis, and Site5.
UPDATE - WORDPRESS INSTALL
WordPress released WordPress 4.2.2 update few hours ago, resolving the above issues with Genericons icon font package as well as patching the critical cross-site scripting (XSS) vulnerability, which could enable hackers to compromise the websites.
Administrators are strongly recommended to immediately update their sites to WordPress 4.2.2.
WordPress allows security patches to get rolled out to users automatically. But administrators with 'Disabled Auto-update' feature are strongly recommended to upgrade their sites as soon as possible.
WordPress allows security patches to get rolled out to users automatically. But administrators with 'Disabled Auto-update' feature are strongly recommended to upgrade their sites as soon as possible.
