Millions of WordPress websites vulnerable to XSS bug
The WordPress vulnerability exists in widely used plugins and themes leveraging the Genericons icon font package.
Millions of WordPress websites could be vulnerable to Document Object Model (DOM)-based cross-site scripting (XSS) attacks due to a bug that exists in widely used plugins and themes leveraging the Genericons icon font package, according to a Wednesday post by Sucuri.
With the release of WordPress 4.2.2, which was made available on Thursday, all affected themes and plugins hosted on the WordPress website have been updated by removing a nonessential HTML file – contained in Genericons – that enables the issue, according to a post on the WordPress website.
Although Sucuri could not ascertain the entire scope of the issue, the security company did determine that the JetPack plugin and the Twenty Fifteen theme are vulnerable, and explained that both are installed by default on millions of WordPress deployments. Patches are currently available for JetPack and Twenty Fifteen.
“The severity is the same as any other XSS, but requires some form of social engineering to get an admin to click on a malicious link,” Daniel Cid, CTO of Sucuri, told SCMagazine.com in a Thursday email correspondence.
Sucuri said in its post that it had detected attacks in the wild days before disclosing the issue. Although patches are now available to address the vulnerability, Cid noted that the fix is simple – all a webmaster has to do is remove the ‘genericons/example.html' file from their site.
Despite a number of WordPress bugs being disclosed recently, it is not the only content management system (CMS) that is vulnerable.
On Wednesday, Fortinet disclosed a persistent XSS vulnerability affecting e-commerce extension VirtueMart. The vulnerability affects any version of Joomla and all versions of VirtueMart up to 3.07, according to a post on the Fortinet website, which adds that the issue was addressed in VirtueMart version 3.08.
By exploiting the vulnerability, an attacker – who would only need to be a regular registered user on the affected website – could host malware, manipulate financial transactions or even take over the website, the post indicates.