WordPress 3.x persistent script injection

Description
  • WordPress versions 3.9.2 and earlier are affected by a critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site. Version 4.0 is NOT vulnerable to this problem. <br/><br/> From the security advisory:<br/> "A security flaw in WordPress 3 allows injection of JavaScript into certain text fields. In particular, the problem affects comment boxes on WordPress posts and pages. These don't require authentication by default.<br/><br/> The JavaScript injected into a comment is executed when the target user views it, either on a blog post, a page, or in the Comments section of the administrative Dashboard.<br/><br/> When a blog administrator goes to the Dashboard/Comments section to review new comments, the JavaScript gets executed. The script can then perform operations with administrator privileges."
Remediation
  • Upgrade to the latest version of WordPress (this issue was fixed in version 3.9.3).
References