WordPress has patched a cross-site scripting vulnerability which otherwise would have resulted in hackers gaining full access to any WordPress website.
The security flaw was first spotted by security firm Sucuri. The researchers claimed that any WordPress theme or plugin that runs a genericons package was at risk of being compromised. The genericons package comes with an insecure file that makes the site open to cross-site scripting vulnerability.
One of the default WordPress themes, TwentyFifteen, as well as the JetPack plugin, uses the genericons icon fonts package. The XSS vulnerability resides in the Document Object Model (DOM) of the ‘genericons’ package. DOM is responsible for how content are represented in a browser. The vulnerability would have allowed attackers to hack into any WordPress website using the default theme and plugin if the administrator accidentally clicks on a malicious link.
“Any WordPress Plugin or theme that leverages the genericons package is vulnerable to DOM-based Cross-Site Scripting (XSS) vulnerability due to an insecure file included with genericons,” Sucuri’s blog noted.
“The main issue here is the genericons package, so any plugin that makes use of this package is potentially vulnerable if it includes the example.html file that comes with the package.”
Responding to the issue, WordPress on Thursday released a fix for the issue and has urged all its users to upgrade to version 4.2.2 immediately.
“Any WordPress plugin or theme that includes this file is open to an attack,” WordPress noted in its VaultPress blog.
“We encourage everyone to head over to Dashboard ? Updates in their WordPress dashboard, and click ‘Update Now’.
“Otherwise, you can download WordPress 4.2.2 directly. Once you’re running WordPress 4.2.2, you’re protected from these vulnerabilities.”
It still remains unclear as how many users have been affected by the problem.
