Attackers target new XSS in millions of WordPress sites

Dirty hole in default plugins

Sucuri researcher David Dede has uncovered a critical cross-site scripting (XSS) vulnerability in a default WordPress plugin that allows attackers to hijack websites.

Dede, part of a consultancy renown for its prolific WordPress popping, found the Twenty Fifteen plugin installed on all WordPress sites is being actively attacked.

He says the JetPack plugin with some one million installations is also vulnerable to the easy-to-exploit DOM-based XSS.

"The main issue here is the genericons package, so any plugin that makes use of this package is potentially vulnerable if it includes the example.html file that comes with the package," Dede says .

"That means the XSS payload is never sent to the server side and is executed directly at the browser.

"What is interesting about this attack is that we detected it in the wild days before disclosure."

The XSS occurred thanks to a genericons package that allows the Document Object Model environment in the victim’s browser to be modified.

Users can remove the unnecessary genericons/example.html file to kill the vulnerabilty.

Dede has contacted hosts including GoDaddy, HostPapa, and DreamHost in a bid to get the vulnerability fixed at scale.

"In this case, Automattic and the WordPress team left a simple example.html file that had the vulnerability embedded," he says. "What’s more concerning here is the reach the plugin and theme have combined; they are installed in many cases, by default in all WordPress installations."

News of this mess follows the disclosure of a serious vulnerability in eBay's Magneto shopping platform which fellow Sucuri hacker Daniel Cid said allowed fraudsters to reduce invoices to zero. ®

Sponsored: Fast data protection ROI?