Skip to main content

Hacking WordPress Website with Just a Single Comment !

Most of the time, we have reported about WordPress vulnerabilities involving vulnerable plugins, but this time a Finnish security researcher has discovered a critical zero-day vulnerability in the core engine of the WordPress content management system.



The vulnerability, found by Jouko Pynnönen of Finland-based security firm Klikki Oy, is a Cross-Site Scripting (XSS) flaw buried deep into the WordPress’ comments system.

The vulnerability affects the WordPress versions 3.9.3, 4.1.1, 4.1.2, and the latest WordPress version 4.2.
Pynnönen disclosed the details of the zero-day flaw, along with a video and a proof-of-concept code for an exploit of the bug, on his blog post on Sunday before the WordPress team could manage to release a patch.

Why the researcher made the 0-Day Public?

A similar cross-site-scripting (XSS) vulnerability was patched this week by WordPress developers, which was nearly 14 months after the bug was reported to the team.

Due to fear of delay in fixing this hole, Pynnönen went public with the details of critical zero-day vulnerability in WordPress 4.2 and below, so that the users of the popular content management system could be warned beforehand.

Moreover, Pynnonen reported the vulnerability to the WordPress team but they "refused all communication attempts" he made since November 2014.

The exploitation of the 0-Day vulnerability:

The vulnerability allows a hacker to inject malicious JavaScript code into the comments section that appears at the bottom of Millions of WordPress blogs or article posts worldwide. However, this action should be blocked under ordinary circumstances.

This could allow hackers to change passwords, add new administrators, or take other actions that could only be performed by the legitimate administrator of the website. This is what we call a cross-site scripting attack.
Pynnonen described the 0-day flaw as below:
"If triggered by a logged-in administrator, under default settings the attacker can leverage the vulnerability to execute arbitrary code on the server via the plugin and theme editors,"Pynnönen wrote in a blog post published Sunday evening.
"Alternatively the attacker could change the administrator's password, create new administrator accounts, or do whatever else the currently logged-in administrator can do on the target system."
How the 0-Day exploit works?

The zero-day exploit provided by the researcher works by posting a simple JavaScript code as a comment and then adding as long as 66,000 characters or over 64 KB in size.

When the comment is processed by someone with WordPress admin rights to the website, the malicious code will be executed without giving any indication to the admin.

By default, WordPress does not automatically publish a user's comment to a post until and unless the user has been approved by the administrator of the site.

Hackers can bypass this limitation by fooling the administrator with their benign first comment, which once approved would enable any further malicious comments from that person to be automatically approved and published to the same post.

WordPress patches the 0-Day flaw:

In order to fix the security hole, administrators should upgrade their CMS to Wordpress 4.2.1, which was released few hours ago.

"This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately," the WordPress team said of the latest version.

WordPress version 4.2.1 reportedly fixes the zero-day vulnerability reported by Pynnonen. So if you own a WordPress website, make sure that you run an updated version of the CMS with all the plugins up-to-date.

Stay connected!!
Labels:

Comments

Post a Comment

Popular Posts

Create Your Own Social Networking Site

Create Your Own Social Networking Site JCOW: Ethical Hacking Top 10 reasons to choose Jcow:- 1. Handle more traffic - Clean codes and Dynamic caching can lower the CPU load and  speed up your website. 2 Make your site more interactive - Well designed Jcow applications help you members to connect and communicate with others more effectively. 3 Add questions to the Registration Form - You can add new member fields, which will be displayed to the registration form, profile form, and the member browsing form. 4 Easily share stuff - Within the AJAX sharing Box, your members can publish status,  photos, videos, and blogs. 5 Customize and Extend your Jcow Network - A Jcow network consists of core apps(like "Friends" and "Messages") and optional apps(like "Blogs" and ""Videos"). You can enable/disable optional apps. You can also develop your own apps. 6 Every profile could be Unique - Members can customize their own profile theme and  add music play
Post a Comment
Read more

Frank Abagnale Criminal

Frank Abagnale Synopsis Frank Abagnale became notorious for impersonating a pilot, a doctor, and a laywer while in his early 20s. He was arrested at 21 by the French police, and later hired by the FBI to teach them his fradulent tricks. He started his own consultating agency, educating corporations, financial institutions and government agencies Early Life Frank Abagnale Jr. was born on April 27, 1948, in Bronxville, New York. He was one of four children born to parents Frank Abagnale Sr. and Paulette Abagnale. The couple met in Algiers during World War II, while Frank Sr. was stationed in Oran. After the war, they moved to New York, where Frank started a stationery business on Madison Avenue. Frank Jr. had a happy childhood, and was especially close to his father. When his mother decided unexpectedly to leave his father, however, the young Frank's life was turned upside-down. Not only were his siblings devastated, but so was his father, who was still very much in lov
Post a Comment
Read more

The Meaning or Definition of Personality According to Experts

Etymological Meaning of Personality - English word 'Personality' has been derived from the Latin word 'Persona'. The word 'Persona' first used in Greek for meaning of theatrical mask which the Greek actors commonly used to wear on their face before coming to the stage for acting. In this sense, in the olden days personality was meant the outward appearance of a person. Today the term personality is explained in various ways. Definitions of Personality :- Personality has been defined by different psychologists in different ways. Following are some of the definitions of personality : According to R.B. Cattell - "Personality is that which permits a prediction of what a person will do in a given situation." According to Allport - "Personality is the dynamic organization within the individual of those psychological systems that determine his unique adjustment to his environment." According to Morton Prince - "Personality
Post a Comment
Read more