Softpedia >News >Security >Security Fixes and Improvements
Softpedia Homepage   

WordPress 4.2.1 Patches Zero-Day Affecting All Previous Versions

Updating should be at the top of the priority list

Apr 28, 2015 06:53 GMT  ·  By
Getting the new release is of critical importance
   Getting the new release is of critical importance

Maintainers of WordPress rushed out a new version of the content management system (CMS), which fixes a zero-day vulnerability affecting all previous releases.

The flaw is a stored cross-site scripting (XSS) issue that can be leveraged via the comment section of a website running WordPress, by hiding malicious code that is executed on the server.

Text truncation can lead to server-side RCE

An attacker can then execute arbitrary code on the server, create new administrator accounts, or make changes with the same privileges as the currently logged-in admin.

The bug was discovered by Jouko Pynnönen, from Finnish-based vulnerability research company Klikki Oy, and it is similar to a bug found and reported privately by Cedric Van Bockhaven, which was repaired in WordPress 4.1.2.

In WordPress, large comments of more than 64kb are truncated when stored in the database, resulting in malformed HTML being generated.

By relying on attributes of the supported HTML tags, the attacker could hide a short malicious JavaScript code in the comment and execute it without any visible sign when the administrator viewed it in the Dashboard before approving it.

The method discovered by Bockhaven is also based on truncation, but this is induced by the attacker via invalid characters.

Automatic update procedure deployed

On Monday, WordPress 4.2.1 emerged as a critical security release, since all previous versions of the CMS are vulnerable. The new revision has been pushed as an automatic update for the websites that have the feature enabled.

One of the corrections included consists in checking that the strings stored in the database are not too long to generate unintended results on the server.

If automatic updates are not turned on, administrators can adopt the latest build by downloading and applying it manually or by checking for a new update.

Installing WordPress 4.2.1 should be a priority because the code for exploiting the vulnerability has been publicly available since Sunday.

A video demonstrating the security flaw is available from Klikki Oy:

Play Video