WordPress has just released a security update.
WordPress 2.8.2 fixes an XSS vulnerability. Comment author URLs were not fully sanitized when displayed in the admin. This could be exploited to redirect you away from the admin to another site
Unfortunately, the official blog didn’t mention that this upgrade is actually critical and why you should update ASAP. Let me explain this.
XSS (Cross-Site Scripting) is a security vulnerability that allows malicious users inject code into web pages viewed by other users. In case of this WordPress vulnerability, hackers can leave a comment specifying specially crafted URL in the “website” field of the comment form. When you open any web page in the admin area of your blog that displays this malicious comment (this may be the dashboard, the comments section and the specific post edit page), the code in the comment author’s URL is activated and you get automatically redirected to a third party site (as suggests the update release note).
Now that WordPress has disclosed the fact that versions prior to 2.8.2 have an XSS vulnerability, hackers will start searching for a way to exploit this vulnerability. It usually takes only a few hours to create an exploit and configure a botnet to start an attack.
Redirection from the admin to a third-party site may sound not scary to you, but I envision at least two types of attacks that can lead to very serious consequences: hackers can gain access to the admin area of your blog and to your whole site. (Plus one type that is just annoying)
As you know, when you sign in to WordPress admin area, the first screen you see is the Dashboard. And the Dashboard screen contains the Recent Comments section that displays latest comments. If any of those comment has a specially crafted comment author’s URL, you will be redirected to a third party site before the whole Dashboard is completely loaded.
This third-party site can display a standard WordPress login screen (They all look the same, so if you don’t check the URL in your browser’s address bar you won’t detect the substitution) telling you to try again. Unsuspecting users will enter their credentials again. Hackers will harvest them and redirect the user back to the original admin area. If the XSS code is properly crafted, some users won’t even know that they have just given their blog credentials to criminals.
By the way, another path to the admin area is to click on the “Approve/Delete/Spam” links in the WordPress notification emails. This way you are also exposed to the attack right after you sign in.
Dear WordPress developers, please make the login screen skinable. This way bloggers will be able to recognize “alien” login screens that use incorrect themes.
The third-party site may not require your passwords. Instead it will try to take advantage of your browser’s vulnerabilities (at this moment IE has a known unpatched security hole and older versions of other browsers may be vulnerable too) and silently install malware on your local computer. Among other nasty things, trojans scan infected computers and steal stored FTP credentials (for example, FileZilla stores them in plain text in xml files), that will be used to compromise your web site. This is the most “popular” vector of hacking web sites this year.
There are also other ways to exploit this XSS vulnerability. Their consequences may be less dangerous but still very annoying.
Every time you sign into the Blog admin or manage comments you’ll get redirected to some “prescription drug” site.
So it’s time to upgrade. Right? But wait! What if malicious comments are already waiting for you in the admin area, and when you sign in to take advantage of the WordPress automatic upgrade tool, you will be exposed to the XSS attack?
If you don’t want to be exposed to any risks, you should upgrade WordPress before you sign in to the admin area.
I hope this post has given you some basic understanding of security implications of unpatched XSS vulnerabilities in the WordPress admin area. Now you know why you should upgrade and how to do it the right way.
Keep your site secure.
If you like this blog you might also find my free website security tool called Unmask Parasites useful.