WordPress Under Attack with Double Zero Day

WordPress is facing significant security threats. Two zero-day vulnerabilities are being exploited to hack into sites, and these attacks are expected to continue, especially with the exploit code now publicly available.

Details of the Zero-Day Vulnerabilities

On April 27, 2015, Finnish cybersecurity firm Klikki Oy disclosed a critical zero-day vulnerability affecting WordPress 4.2 and earlier versions. They released a video and proof of concept code demonstrating how hackers can embed malicious JavaScript in WordPress site comments. If exploited, this flaw can lead to a cross-site scripting (XSS) attack, allowing attackers to steal usernames and passwords.

If an administrator visits a page containing the malicious comment, the attacker could gain access to the server, change passwords, create new administrator accounts, or perform any actions the logged-in administrator can execute. Klikki Oy advises disabling comments temporarily until a patch is available.

Ryan Dewhurst, a security researcher and owner of the WPScan vulnerability database, confirmed the effectiveness of the attack code and created his proof of concept, available on GitHub. He noted that the attack requires the hacker to have a previously approved comment on the target site. The exploit involves commenting long enough (65,535 ‘A’ characters) to trigger a MySQL database error, allowing the rogue code to be injected.

Gary Pendergast from the WordPress team assured that a fix was in progress but did not provide a timeline. He recommended using the Akismet plugin to help block such attacks.

Recent Vulnerability History

WordPress 4.1.2 was released a week before to address several vulnerabilities, including a similar XSS issue reported by researcher Cedric Van Bockhaven. Despite the update, the new zero-day vulnerability means users remain at risk even after upgrading.

Cloudflare, a major content delivery network, reported seeing malicious emails directing users to compromised WordPress sites hosted by Bluehost. These attacks likely exploit older cross-site scripting flaws, particularly in versions 4.1.1 and earlier.

Urgent Update

Since WordPress powers roughly 20% of the web, users must take immediate precautions. WordPress has released version 4.2.1 to patch the critical flaw. Users are strongly encouraged to update their sites immediately to ensure security.

For continuous updates and detailed information on how to protect your site, stay tuned to the official WordPress blog and relevant security forums.

Leave A Comment

about SpiderSavvy

We build robust WordPress solutions, leveraging our design, technology, and strategy expertise to deliver game-changing outcomes for your organization.