Stored XSS bug in WordPress, researchers advise to disable comments

A stored cross-site scripting (XSS) vulnerability impacting current WordPress versions has been identified by Jouko Pynnönen, a researcher with Finnish IT company Klikki Oy.

Essentially, JavaScript injected into the comments section of WordPress websites are triggered when viewed, according to a Sunday post. The vulnerability can be leveraged for various purposes, such as gaining administrator privileges.

“If the comment text is long enough, it will be truncated when inserted in the database,” the post stated, adding “the truncation results in malformed HTML generated on the page" and that "the attacker can supply any attributes in the allowed HTML tags.”

WordPress website operators should not approve any comments, or should disable comments, to prevent being affected by the issue, according to the Klikki Oy post.

You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS