WordPress vulnerability makes it easy to hijack millions of websites
The WordPress content management system is vulnerable to two newly discovered threats. Both vulnerabilities are known as stored, or persistent, cross-site scripting (XSS) bugs.
The bugs allow an attacker to inject code into the HTML content received by administrators. The attackers can embed malicious code into the comments section at the bottom of a WordPress blog or article post. They can change passwords, add new administrators, or even perform actions as legitimate admins.
Jouko Pynnönen, a researcher with Finland-based security firm Klikki Oy that discovered the vulnerability, wrote:
If triggered by a logged-in administrator, under default settings the attacker can leverage the vulnerability to execute arbitrary code on the server via the plugin and theme editors. Alternatively the attacker could change the administrator’s password, create new administrator accounts, or do whatever else the currently logged-in administrator can do on the target system.
They also provided a video of how the attacker could access the WordPress “backdoor”:
WordPress have released a critical security update that fixes the vulnerability. Make sure you have installed the latest patch.
Please let us know if you find these security updates useful. Leave a comment below.