Reply to post:

Attackers target new XSS in millions of WordPress sites

Anonymous Coward
Mushroom

Yeah, this is easy to overlook - just a bit of JS in an HTML file. Only problem is, it's using unsanitized input from window.location.hash, and it's found in predictable locations on target sites. The hardest part of exploiting it is tricking an admin into clicking a crafted URL.

The WTFs are that the offending JS was newly added window dressing (it's not in the twentyfourteen theme's example.html) and that something so innocuous is enough to own WP or any CMS.

Nuke icon because WWW doomsday is coming...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021