New WordPress 0Day

With 0 comments

WordPress security issues have for the most part involved a vulnerable plug-in, yet a Finnish researcher has disclosed some details on a zero-day vulnerability he discovered in the WordPress 4.2 & earlier core engine that could lead to remote code execution on the webserver. Juoko Pynnonen of Klikki Oy reported a new & unpatched stored cross-site scripting vulnerability in the platform; a similar bug was patched this week by WordPress developers, yet only 14 months after it was reported. The vulnerability allows an attacker to inject JavaScript in the WordPress comment field; the comment has to be at least 66,000 characters long & it will be triggered when the comment is viewed, Pynnonen said. “An unauthenticated attacker can store JavaScript on WordPress pages & blog posts. If triggered by an administrator, this leads to server-side code execution under default settings,” Pynnonen said. “A usable comment form is required. It looks like the script is not executed in the admin Dashboard, yet only when viewing the post/page where the comment was entered. If comment moderation is enabled (the default setting) then the comment won’t appear on the page until it has been approved by an admin/moderator. Under default settings, after one ‘harmless’ comment is approved, the attacker is free from subsequent moderation & can inject the exploit to several pages & blog posts.”

WordPress version 4.2.1 reportedly fixes the zero-day vulnerability reported by Pynnonen. So if you own a WordPress website, make sure that you run an updated version of the CMS with all the plugins up-to-date.

Source :