Hundreds of thousands of Sites running on the WordPress platform face the risk of hijacking attacks no thanks to a vulnerability that was found in the default installation of a theme in the popular Content Management System, said Online secuity firm Sucuri.
At the heart of the vulnerability was what was known as the “genericons package”, so essentially any plugin that used this package was potentially vulnerable if it included the example.html file that came with the package, said a blog post by Sucuri researchers.
So far, the JetPack plugin (reported to have over 1 million active installs) & the TwentyFifteen theme (installed by default) were found to be vulnerable
Shorn of the technical mumbi jumbo, the XSS vulnerability was very simple to exploit & happened at the Document Object Model (DOM) level. That meant the XSS payload was never sent to the server side & was executed directly at the browser. DOM-based XSS were a bit harder to exploit, since it required some level of social engineering to get someone to click on the exploit link. However, once they managed that, it provided the same level of access as other types of XSS attacks (reflected or stored), said the blog post.
“Fortunately, the fix for this one is pretty straight forward. Remove the unnecessary genericons/example.html file or make sure you have a WAF (firewall) or IDS that is blocking access to it. Because of the low severity, but mass impact we reached out to our network of hosting relationships in an effort to virtually patch this for millions of WordPress users as quickly as possible”, said the post.
Image Credit: Sucuri