Zero-day lets hackers hijack WordPress through rogue comments

A vulnerability in the WordPress blogging platform has been uncovered which allows hackers to hijack websites with a comment containing malicious JavaScript, The Hill reveals.

The exploit was discovered by Finnish security firm Klikky Oy, and allows hackers to push malicious code in the comments section of a website. Attackers need to leave a long comment (over 64kb) containing malicious JavaScript. The length of comment required (65,535 ‘A’ characters, Forbes reckons) is necessary as that is what would trigger the error that allows the code to be displayed.

When a logged-in administrator visits the page, the browser would parse the code, without any additional input from the admin. From there, the hacker could gain access to the server, change the password, create new accounts or do anything else a logged-in administrator could do.

Forbes notes that the attack would require the hacker to have had a previous comment approved, so that the comment would not first need approval before being published.

WordPress will be pushing a security patch out via auto-update to protect many users, but in a written statement to ReadWrite, Matt Mullenweg, CEO of the blogging platform’s parent company Automattic played down the potential impact of the exploit, saying “It is a core issue, but the number of sites vulnerable is much smaller than you may think because the vast majority of WordPress-powered sites run [the anti-spam plugin] Akismet, which blocks this attack.”

Of course, not every site uses Akismet, which costs between $5 and $9 per month for commercial sites, and $50 per month for enterprise sites. For those affected, the researchers recommend the best course of action is to disable comments until the vulnerability is patched.

Author , ESET

Follow us

Copyright © 2016 ESET, All Rights Reserved.