When a logged-in administrator visits the page, the browser would parse the code, without any additional input from the admin. From there, the hacker could gain access to the server, change the password, create new accounts or do anything else a logged-in administrator could do.
Forbes notes that the attack would require the hacker to have had a previous comment approved, so that the comment would not first need approval before being published.
WordPress will be pushing a security patch out via auto-update to protect many users, but in a written statement to ReadWrite, Matt Mullenweg, CEO of the blogging platform’s parent company Automattic played down the potential impact of the exploit, saying “It is a core issue, but the number of sites vulnerable is much smaller than you may think because the vast majority of WordPress-powered sites run [the anti-spam plugin] Akismet, which blocks this attack.”
Of course, not every site uses Akismet, which costs between $5 and $9 per month for commercial sites, and $50 per month for enterprise sites. For those affected, the researchers recommend the best course of action is to disable comments until the vulnerability is patched.