Comments considered harmful: WordPress web hijack bug revealed
Patch NOW after researcher drops zero-day on popular blog software
A frustrated Finnish security researcher has gone public with a vulnerability in WordPress that lets attackers hijack website admin accounts.
The vulnerability is present in WordPress version 4.2 and below. Pynnönen revealed the flaw on his blog on Sunday before the WordPress team could release a patch for the software: the researcher feared WordPress would take too long to fix the hole, and wanted to warn everyone beforehand.
"I didn't report the bug to the vendor this time," Pynnönen told The Register in an email earlier today.
The security blunder is exploited by posting a 64KB comment to a WordPress blog page. This data is truncated as it is written to the database, breaking safety checks that are supposed to filter out malicious code when the comment is displayed to visitors.
The flaw is similar to that discovered by researcher Cedric Van Bockhaven, which WordPress finally got around to patching last week. Bockhaven found that certain invalid characters in comments would allow malicious JS code to slip through and execute in visitors' browsers. This new bug relies of excessively long comments rather than invalid characters to break the filtering.
"[WordPress] took 14 months to produce the code to detect invalid characters in comments," Pynnönen told us, explaining why he revealed his XSS bug before a patch was available.
"During this time all WordPress servers using default comment settings have been quite easily 'hackable'. Now it turns out they still didn't get it right.
"Communication with WordPress developers has been difficult. During the past months I've been trying to find out what they are doing about my previous (yet unreleased) bug. I haven't got any communication from them since November despite trying to ask them directly, via HackerOne staff, and even with help from our national authority (CERT-FI).
"They simply seem to ignore all inquiries. There has been no explanation as to why the bug is still not fixed. It was supposed to happen in November. All WordPress versions are still vulnerable."
To fix the security hole, admins should upgrade to WordPress 4.2.1, which was released in the past few minutes. "This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately," the team said of the latest version. ®