WordPress has announced a security update to address two vulnerabilities that could potentially allow an attacker to take over a website entirely. The most significant of these vulnerabilities involves a stored cross site scripting (Stored XSS) issue.
WordPress Stored Cross Site Scripting (XSS) Vulnerability
The WordPress security team discovered the Stored Cross Site Scripting (XSS) vulnerability within the core files of WordPress. This type of vulnerability allows an attacker to upload a script directly to the WordPress site.
These vulnerabilities typically occur in places where the website accepts user input, such as a post submission or a contact form. Normally, such input forms are safeguarded by a process known as Sanitization, which restricts the type of input accepted (e.g., text instead of JavaScript files).
According to Wordfence, although the affected WordPress files did implement sanitization, the sequence in which it was performed opened the door for potential bypasses.
Wordfence provided the following insight into the patch addressing this vulnerability:
"The patched version runs wp_filter_global_styles_post before wp_filter_post_kses so that any potential bypasses have already been processed and wp_kses can effectively sanitize them."
An attacker can upload a malicious script often due to coding flaws in a file. When an administrator visits the compromised webpage, the malicious script executes, leveraging the administrator’s privileges to take over the site, create new admin-level accounts, and install backdoors, which allow continuous unauthorized access.
Prototype Pollution Vulnerability
The second issue identified in WordPress is known as a Prototype Pollution Vulnerability. This sort of flaw is found in JavaScript or its associated libraries used by the website.
There are actually two vulnerabilities of this kind:
- A Prototype Pollution Vulnerability detected in the Gutenberg URL package, responsible for URL manipulation within WordPress.
- A Prototype Pollution vulnerability in jQuery, which has been resolved in jQuery 2.2.3.
Wordfence noted that they are unaware of any active exploits involving this vulnerability and mentioned that the complexity of exploiting it makes it relatively improbable as an immediate threat.
Wordfence’s vulnerability analysis concluded:
"An attacker successfully able to execute JavaScript in a victim’s browser could potentially take over a site, but the complexity of a practical attack is high and would likely require a separate vulnerable component to be installed."
Severity of the WordPress Stored XSS Vulnerability
Exploitation of this specific vulnerability requires a user with at least contributor-level access to upload a malicious script. This necessitates an additional step where the attacker must first obtain contributor-level login credentials.
Even though this extra step makes it harder to exploit the vulnerability, the site’s safety largely hinges on the strength and complexity of the contributor’s passwords.
Update to WordPress 5.9.2
The latest WordPress version, 5.9.2, addresses two security issues and one bug that might result in an error message for sites using the Twenty Twenty Two theme.
A WordPress tracking ticket described the bug as follows:
"Having an older default theme activated and then clicking to preview Twenty Twenty Two gave me an error screen with a grey background with a white notification box saying ‘The theme you are currently using is not compatible with Full Site Editing.’"
WordPress recommends all users update their installations to version 5.9.2. Some sites may have automatic updates enabled, but many still require manual approval from someone with administrator access. Users are advised to log in and check if their site is running version 5.9.2, and if not, to back up the site and update to the latest version.
Some administrators might opt to update a copy of the site on a staging server first to ensure compatibility with current plugins and themes. Following major updates, plugins and themes often release updates to fix any emerging issues.
Regardless, it is highly recommended to update WordPress as soon as possible.