Million WordPress websites vulnerable to DOM-based XSS

Pierluigi Paganini May 07, 2015

Every WordPress Plugin or theme that used the genericons package is potentially vulnerable to a DOM-based XSS vulnerability.

Experts at the Sucuri firm have discovered that any WordPress Plugin or theme that leverages the genericons package is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability due to an insecure file included with genericons.

The experts explained that among the vulnerable plugins there is the JetPack plugin, which have more than 1 million active installation, and the TwentyFifteen theme that comes by default.

Due to the large number of affected websites, Sucuri has reported the flaw to the hosting providers.

DOM-based XSS jetpack-for-wordpress

Any plugin that makes use of the genericons package is potentially vulnerable if it includes the example.html file that is normally included with the flawed package.

“We cannot forget one of the basic principles of security, in which we must maintain a pristine environment in production. This means we remove debug or test files before you move into production. In this case, Automattic and the WordPress team left a simple example.html file that had the vulnerability embedded,” states Sucuri.

The researchers explained that in order to exploit the DOM-based XSS vulnerability, bad actors need to trick the victim into clicking on an exploit link. Unfortunately, threat actors are already exploiting the DOM-based XSS vulnerability worldwide.

“What is interesting about this attack is that we detected it in the wild days before disclosure. We got a report about it and some of our clients were also getting reports saying they were vulnerable and pointing to:

http://<img/ src=1 onerror= alert(1)>

In this proof of concept, the XSS printed a javascript alert, but could be used to execute javascript in your browser and take over the site if you are logged in as admin.” states a blog post published by Sucuri.

The good news is that it is quite easy to fix the DOM-based XSS vulnerability, it is enough to remove the “example.html” or block access any access to the file.

Pierluigi Paganini

(Security Affairs –  WordPress, DOM-based XSS vulnerability)

you might also like

leave a comment