A vulnerability cross-site scripting (XSS) was recently released for the latest version of WordPress 4.2 (it also works on all older versions) and can be exploited by a malicious user to run arbitrary code on the server.
Το ελάττωμα ασφάλειας είναι ακόμα και σήμερα unpatched από τον επίσημο διανομέα του λογισμικού ενώ έχει ήδη κυκλοφορήσει το PoC ελεύθερα στο Internet.
iGuRu.gr, as those concerned know, uses WordPress. But if you try cross-site scripting on our website you will be disappointed as our technical service fixed the error three hours after it was announced.
An attacker exploiting the defect could take control of the target site by creating new administrator accounts. In addition to its current version WordPress 4.2, the 4.1.2, 4.1.1, and 3.9.3 versions are also affected.
The vulnerability was discovered by Jouko Pynnönen of Klikki Oy's research firm in Finland and is similar to that patched in WordPress 4.1.2 after it was reported to software developers by researcher Cedric Van Bockhaven about 14 months ago on February 23 2014.
Pynnönen's method targets WordPress's comments and how to cut a large text message (larger than 64KB), and the comment is stored in the database of the webpage.
Comments that are larger than 64KB are truncated through MySQL. Cropping the messages leads to errors in the HTML code on the page, and can be exploited by an attacker to add features to the supported HTML tags and submit malicious JavaScript code.
Pynnönen using the vulnerability managed to drop a exploit on the targeted website when the administrator tried to approve the comment. The researcher tested the vulnerability in MySQL versions 1.5.53 and 5.5.41.
Until the WordPress patch is released, webmasters running WorPress are advised not to approve any comments.
More technical details are available on the website Click vote.
Watch it video proof of defect (PoC):
