Simon Scannell, a researcher at RIPS Technologies GmbH, who previously reported multiple critical vulnerabilities in WordPress, has once again discovered a new flaw in the content management software (CMS) that could potentially lead to remote code execution attacks.
The flaw stems from a cross-site request forgery (CSRF) issue in the Wordpress' comment section, one of its core components that comes enabled by default and affects all WordPress installations prior to version 5.1.1.
Unlike most of the previous attacks documented against WordPress, this new exploit allows even an "unauthenticated, remote attacker" to compromise and gain remote code execution on the vulnerable WordPress websites.
"Considering that comments are a core feature of blogs and are enabled by default, the vulnerability affected millions of sites," Scannell says.
The exploit demonstrated by Scannell relies on multiple issues, including:
- WordPress doesn't use CSRF validation when a user posts a new comment, allowing attackers to post comments on behalf of an administrator.
- Comments posted by an administrator account are not sanitization and can include arbitrary HTML tags, even SCRIPT tags.
- WordPress frontend is not protected by the X-Frame-Options header, allowing attackers to open targeted WordPress site in a hidden iFrame from an attacker-controlled website.
By combining all these issues, an attacker can silently inject a stored XSS payload into the target website just by tricking a logged on administrator into visiting a malicious website containing the exploit code.
According to the researcher, the attacker can then even take complete control over the target WordPress websites remotely by injecting an XSS payload that can modify the WordPress template directly to include a malicious PHP backdoor—all in a single step without the administrator noticing.
After Scannell reported this vulnerability back in October last year, the WordPress team tries to mitigate the issue by introducing an additional nonce for administrators in the comment form, instead of simply enabling CSRF protection.
However, Scannell was also able to bypass that, after which the CMS team finally released WordPress 5.1.1 with a stable patch on Wednesday.
Since WordPress automatically installs security updates by default, you should already be running the latest version of the content management software.
However, if the automatic updating of your CMS has been turned off, you are advised to temporarily disable comments and log out of your administrator session until the security patch is installed.