WordPress developers released a patch on Wednesday to fix a XSS (Cross-Site Scripting) vulnerability in their code that could potentially allow a hacker to compromise a website. The website can only be exploited if the user is already authenticated as an Admin.
To protect our customers, Instart Logic’s security team investigated this vulnerability and created a new Instart Logic WAF rule to identify the attack.
How does a hacker attack an XSS-vulnerable website?
XSS attacks can give the attacker access to a user’s cookies, make arbitrary changes to the visited page, or turn the user’s client into a bot used to send HTTP requests to unwanted destinations. In more severe cases, it could potentially give the hacker access to the user’s webcam or microphone.
How this vulnerability works
The code for the patch issued by the WordPress team can be found here:
By looking closely we can see that the vulnerability existed in the Error page displayed behind the authenticated URL /wp-admin/customize.php.
Our researchers used a simple HTML payload to show how it works:
As you can see, the browser is executing the href tag instead of sanitizing it.
$this->errors = new WP_Error( 'theme_not_found', sprintf( __( 'The theme directory "%s" does not exist.' ), $this->stylesheet ) );
The patch in WordPress 4.4.1 solves it by sanitizing the theme parameter using the esc_html function before displaying the page.
$this->errors = new WP_Error( 'theme_not_found', sprintf( __( 'The theme directory "%s" does not exist.' ), esc_html( $this->stylesheet ) ) );
How can you protect your Wordpress website?
If you are an Instart Logic customer and you are using our Web Application Firewall (WAF), you are already protected. Otherwise, make sure you upgrade immediately to WordPress 4.4.1 before hackers exploit this vulnerability in your site.