Flaw in WordPress TwentyFifteen Theme and JetPack Plugin Leaving Websites Vulnerable to Hijacking

Guess what? WordPress is back with yet another vulnerability, and of course, you need to patch your WordPress installation again.

A vulnerability effecting one of the WordPress’s default themes that get installed automatically with it, got unveiled recently by Netsparker researchers. The very same vulnerability has been found in one very popular (and of course, widely used) WordPress plugin, too.

The theme in question is TwentyFifteen and the plugin is JetPack. Both are more like the backbone of WordPress. The security flaw is one that arose because of a file in genericons pakage dubbed as example.html, vulnerability is Dom based cross site scripting (aka XSS).

Millions of websites are at great risk of hijacking because of it, which definitely is a really bad news. Interestingly, the security researchers at Sucuri (security firm) already exposed the flaw even before this vulnerability was disclosed.

Sucuri researchers stated, “In this proof of concept, the XSS printed a javascript alert, but could be used to execute javascript in your browser and take over the site if you are logged in as admin”.

Good news on the other hand is, guys at Sucuri notified some renowned web hosts about this flaw and they took the necessary steps to harden security for their customers about a week ago. The hosts include GoDaddy, DreamHost, HostPapa, Inmotion, ClickHost, Pagely, WPEngine, Site5, Websynthesis, Pressable, and SiteGround.

The vulnerability can surely have a huge impact worldwide, but it is not that much severe we believe, as the attacker first need to convince the targeted site’s admin into clicking on a exploit link when they are signed in their WP installation already.

There’s an easy fix to the issue! “Remove the unnecessary genericons/example.html file or make sure you have a WAF or IDS that is blocking access to it,” that’s what Sucuri advised to tackle the issue.

The security flaw also has been eliminated by updating to the latest (4.2.2) wordpress update, as WordPress released it as a critical update after getting to know about the vulnerability in question. So, if you’ve not already – g ahead and update your WordPress version.

Samuel Sidler from WordPress declared on Thursday, “All affected themes and plugins hosted on WordPress.org (including the Twenty Fifteen default theme) have been updated today by the WordPress security team to address this issue by removing this nonessential file”.

“To help protect other Genericons usage, WordPress 4.2.2 proactively scans the wp-content directory for this HTML file and removes it.”

Leave a Reply

Your email address will not be published. Required fields are marked *