A dangerous XSS vulnerability has just been identified in WordPress versions prior to 4.0. Using comments, attackers may even be able to gain full administrative control of a vulnerable application. Therefore WordPress have released an urgent update, addressing this bug and 7 others. Users should update to WordPress 4.0.1 as a matter of urgency.

The XSS vulnerability affects comment boxes on WordPress posts and pages which by default, do not require a user to authenticate when posting a comment.

The vulnerability, reported by Jouko Pynnonen, allows an XSS payload to be injected into a comment. When the page is viewed, the JavaScript in the comment is executed. This execution may either happen on the post or page itself or even worse, on the WordPress administrative dashboard.

If successfully exploited, the vulnerability could allow an attacker to perform administrative actions. The researcher’s PoC was able to exploit this vulnerability by first clearing traces of the XSS payload from the WordPress database and then performing other administrative tasks. Such tasks include changing the administrator’s password, adding new administrative users, and using WordPress’ Plugin Editor to write arbitrary attacker-supplied PHP code to the server. All of the mentioned operations are hidden from the user and all occur in the background without the user noticing that anything has occurred.

This vulnerability affects WordPress versions 3.9.2 and earlier and therefore affects approximately 86% of all WordPress installations (as of 20th November 2014).

WordPress 4.0 is not affected, however it is still strongly advised that WordPress 4.0 users update to WordPress 4.0.1 since other security bug fixes are included in the 4.0.1 update.

WordPress 3.x persistent script injection vulnerability

Acunetix WVS and Acunetix OVS have been updated to detect this vulnerability. Acunetix identifies WordPress installations, and will launch version specific WordPress security checks to ensure your website is secure. Please refer to the following guide on updating the latest patches in Acunetix WVS. Acunetix OVS updates are rolled out automatically and do not require any user action.

View the official WordPress announcement and proceed to update here.


Ian Muscat

Ian Muscat used to be a technical resource and speaker for Acunetix. More recently, his work centers around cloud security and phishing simulation.