Attacks recorded before the disclosure of the vulnerability

May 6, 2015 20:36 GMT  ·  By

A vulnerability in a WordPress theme installed by default in the content management system (CMS) is currently exploited by attackers, with a potential impact on millions of websites.

The security flaw is a DOM-based cross-site scripting (XSS) bug and it has been discovered in a package called “genericons,” which is present in multiple plugins and themes for WordPress.

Payload executed at browser level

Researchers from Sucuri warn that the package is also present in the TwentyFifteen theme, which is installed automatically with the CMS. Moreover, it is also found in JetPack, a plugin that has an advertised number of installs of over one million.

In a blog post on Wednesday, Sucuri’s David Dede says that any WordPress component using the “genericons” package and including the “example.html” file can be exploited.

In the case of DOM-based XSS exploits, the payload is not sent to the server and it is executed in the browser by changing the document object model (DOM), an action that evades the detection of website security solutions.

DOM controls how objects in a web page are represented and how the interaction with them is carried out. Any changes in this environment can lead to unwanted results, such as execution of malicious code.

Attack requires user interaction, simple fix available

However, successfully compromising a target this way requires social engineering, as the victim has to access a malicious link from the attacker for the nefarious routines to start.

Dede made available an exploit code found in the wild, which only caused a JavaScript alert on the affected website, but cybercriminals could alter it to hijack a website if the victim following the URL is logged in as an administrator.

Given this scenario, the risk is somewhat lower but not completely eliminated, because the door is open for targeted attacks.

On the other hand, keeping safe from such incidents is an easy task and all an admin has to do is remove the “genericons/example.html” file, or configure the website security product to block access to it.