back to article Attackers target new XSS in millions of WordPress sites

Sucuri researcher David Dede has uncovered a critical cross-site scripting (XSS) vulnerability in a default WordPress plugin that allows attackers to hijack websites. Dede, part of a consultancy renown for its prolific WordPress popping, found the Twenty Fifteen plugin installed on all WordPress sites is being actively …

  1. Bronek Kozicki

    WordPress on my machines? Just say no.

    1. Phuq Witt
      Alert

      "My" Being the Operative Word

      "...WordPress on my machines? Just say no...."

      "my" being the operative word. I don't use WordPress for any of my personal sites. But when a complete 'non-techie' client asks you to build them a website on which they can C/R/U/D content, there really isn't anything more user friendly out there.

      [Much though I shudder, every time I have to wade through the tangled PHP jungle of its codebase.]

  2. Mage Silver badge

    example.html

    I don't see a genericons/example.html in twenty fifteen

    Installed or Active plug in?

    "Twenty Fifteen plugin installed on all WordPress"

    1. AMBxx Silver badge
      Unhappy

      Re: example.html

      Nor me. I'm off on holiday tomorrow, so daren't update WordPress until I'm back. Took 2 days to fix the last update.

      Wish I'd chosen something else, but there are probably problems with the competition too.

  3. Anonymous Coward
    Anonymous Coward

    Looks like an update has removed that file now - several hosted sites here had the file yesterday (i.e. is in the backup) but is not present now.

    Having looked at the backup of that file, I'm amazed that anyone would include such an obvious hole! I'm no XSS expert, but after a swift glance through the javascript it was blazingly obvious.

    1. SImon Hobson Bronze badge

      I'm not a programmer, and I haven't looked at the code involved ...

      Such things are often obvious when looked at "from the outside" or with a fresh pair of eyes. A few times I've come back later (could be days, could be years) to look at some script I knocked up - and found myself wondering why on earth I did it that way :-/ Not just scripts on the computer - many a time I've either been stuck for how to do something and only thought of the way when I've given up for a cup of tea; or found a way and wondered the next day why I made it so hard.

      And if you do any writing, always get someone else (ideally who isn't connected with it) to proof read it. You can read through it many times yourself - and another proof reader will find some "how did I miss that !" typos. That's just the way the human brain works.

  4. Anonymous Coward
    Mushroom

    Yeah, this is easy to overlook - just a bit of JS in an HTML file. Only problem is, it's using unsanitized input from window.location.hash, and it's found in predictable locations on target sites. The hardest part of exploiting it is tricking an admin into clicking a crafted URL.

    The WTFs are that the offending JS was newly added window dressing (it's not in the twentyfourteen theme's example.html) and that something so innocuous is enough to own WP or any CMS.

    Nuke icon because WWW doomsday is coming...

  5. Tranzcoder

    WordPress is the Swiss Cheese of content management solutions...

  6. Phuq Witt
    Facepalm

    Shome Mishtake, Shirley?

    "...Dede ... found the Twenty Fifteen plugin installed on all WordPress sites is being actively attacked..."

    Eh? –TwentyFifteen is one of the default themes that ship with WordPress. Not a plugin. And, if my reading of your reading of the situation is right, the vulnerability is with Genericons [which is an open-source 'icon font' which can be included in any theme, or any website] –not a vulnerability with WordPress, per se.

    Anyway, must dash now. I've recently built a WordPress theme which uses the Genericons font. So I better check I didn't leave the 'default.html' file in there!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like