Millions of WordPress sites left vulnerable by plugin flaw

Millions of WordPress sites have been left vulnerable by a scripting flaw found in two popular plugins, one of which is present in the default installation of the blogging platform, reports Computer World.

The two plugins are JetPack and Twenty Fifteen, the first of which is a customization and performance tool, and the latter is a theme designed to allow infinite scrolling. Twenty Fifteen is installed into new WordPress sites as a default, multiplying the number of potential targets.

As explained by ZD Net, the vulnerability stems from the fact that both plugins use a package called genericons, which contains vector icons embedded in a font, but also an insecure file named “example.html”. It’s this file which has a DOM-based vulnerability which, when exploited by attackers, can be used to execute malicious Javascript within a browser and hijack WordPress sites if the owner is logged in as an administrator.

The vulnerability is said to be easy for cybercriminals to exploit, but also simple to fix. WordPress users should remove the genericons/example.html file immediately to ensure the safety of their sites.

According to PC World a number of hosting sites have already made relevant steps to patch the problem, including GoDaddy, DreamHost and ClickHost.

This latest flaw comes as more bad news for WordPress, who just over a week go found malicious Javascript code could be hidden in its comment system. Meanwhile, WordPress sites were also the target of a number of supposed ISIS hijacks that took place recently, currently under investigation by the FBI, although believed not to be genuinely linked to the extremist group

The company claims to run around 23 per cent of websites on the internet, so it will hope to fix these flaws as quickly and as efficiently as possible.

by Kyle Ellison, ESET

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s