WordPress websites are at risk of being fully compromised due to a critical stored cross-site scripting (XSS) vulnerability in the Akismet plugin, a comment spam filter that has more than a million active installs.
The bug was addressed in the recently released Akismet version 3.1.5, but all other versions of the popular plugin since 2.5.0 are affected, an Akismet blog post said, noting that the WordPress.org plugins team has enabled an automatic update for websites running vulnerable versions.
A Wednesday post by Sucuri, the security firm that identified the issue, explained that the WordPress option for converting emoticons to graphics on display must be enabled – which it is by default – and that the issue exists in how Akismet manages hyperlinks inside the site's comments.
“Because the vulnerability is theoretically exploitable via comments, Akismet is already blocking attempts during the comment-check API call even if you are not running the most recent version,” the Akismet blog post said. “However, to be as safe as possible, you should still upgrade immediately.”
“Once this script is executed on the administrator's browser, it can perform any administrative actions on [their] behalf, like creating new posts filled with SEO spam, changing the user passwords, etc.,” Montpas said. “A full site compromise is possible if the attacker uses that power to modify the site's theme files, which allows [the attacker] to save server-side backdoors on the host.”
Montpas said the bug is easy to exploit since it only relies on the ability to send comments, but that it likely will not be used in the wild because WordPress.org enabled automatic updates. The Akismet release added that there is no evidence the vulnerability is being actively exploited.
The Akismet issue is not the only WordPress plugin vulnerability to be announced this week.
On Wednesday, High-Tech Bridge announced a critical remote file inclusion vulnerability in version 1.5.3 (and likely prior) of the Gwolle Guestbook plugin, which has more than 10,000 active installs. High-Tech Bridge said in an advisory that it has contacted the vendor and is awaiting a solution.