New WordPress XSS Vulnerability Crosses the Privilege Line

August 14, 2015 @ 12:26 PM
| |
2 min read

Cross-site scripting (XSS) problems continue to plague Web pages hosted by large enterprises and major content management tools such as WordPress. It makes sense: The ability to inject code and effectively gain control of what a user can see and do on any given page is a high-water mark for most cybercriminals. WordPress in particular has faced a flood of cross-site issues despite consistent and timely updates. According to Threatpost, British company dxw Security has now discovered another set of XSS vulnerability problems in the popular CMS, all of which pose significant risk.

XSS Vulnerability Issues a Common Concern

On July 23, WordPress released version 4.2.3, which addressed a serious XSS flaw that allowed low-level users to potentially run arbitrary JavaScript code on the front end of any page, gaining complete control. CRM giant Salesforce, meanwhile, just rolled out a new patch for its own XSS issue, which stemmed from a specific application function that “failed to sanitize and filter the arbitrary input passed by the remote user as a part of an HTTP request.”

The result? Malicious actors could use JavaScript to lift cookies and session identifiers or force users to download malicious code. So it’s hardly a surprise that WordPress has yet another XSS flaw, especially given the sheer number of plugins used by companies to host a single page — and the number of actors looking for a hole in the code. Hopefully, the security firm’s recent discoveries prompt swift response.

New Risks

The first XSS risk stems from version 3.0 of WordPress’ iFrame plugin. Using this stored vulnerability could give users the power to inject the HTML code of their choosing into WordPress pages and bypass their existing privilege level. The team also discovered a reflected attack vector that could potentially compromise any pages running the get_params_from_url script and give malicious actors control.

Finally, dxw Security uncovered a flaw in Yoast’s Google Analytics plugin that allowed high-level users to attack other users by adding arbitrary bits of JavaScript code. According to Tom Adams of dxw Security, “A user with the ‘manage_options’ capability but not the ‘unfiltered_html’ capability is able to add arbitrary JavaScript to a page visible to admins.” WordPress said both the stored and reflected vulnerabilities have already been addressed by its 4.0 release, but Adams claimed that the stored plugin problem persists and users should disable it until a new version specifically addresses the flaw.

For WordPress, Salesforce and other high-profile software services, popularity is a blessing and a curse. As their user base continues to expand, so, too, does the number of threats as malicious actors look for ways to break through defenses and take control of internal and external Web services. The XSS vulnerability route remains a go-to for many cybercriminals since both platforms and plugins are typically vulnerable — and every patch introduced seems also to spur the discovery of new flaws. In the case of these new WordPress problems, the silver lining is that a security firm found them first, but there’s a critical takeaway: Don’t cross XSS off the list of likely threats just yet.

Douglas Bonderud
Freelance Writer

A freelance writer for three years, Doug Bonderud is a Western Canadian with expertise in the fields of technology and innovation. In addition to working for...
read more