WordPress zero-day or how to hijack millions of websites

Exploitative Code Enables Unauthorized Administrative Control over Countless WordPress Websites Worldwide

Millions of WordPress websites across the globe are now at risk due to the emergence of two newly identified vulnerabilities, affording cyber attackers the means to commandeer (hack) web servers without authorization. This code, designed to exploit one of the most recent WordPress versions, has been disseminated, thus taking on the form of a zero-day exploit.

Zero-Day Vulnerability: Unveiled

A zero-day vulnerability denotes a fissure within the software that remains unbeknownst to the software provider. This security loophole is exploited by hackers prior to the software provider’s awareness, compelling them to hasten a resolution. Such exploits are termed zero-day attacks.

Understanding the Vulnerabilities

Both of these vulnerabilities fall under the category of stored or persistent cross-site scripting (XSS) flaws. They enable malicious actors to insert code into HTML content delivered to administrators who administer the respective websites. The modus operandi of both attacks involves embedding malevolent code into the default comments section situated at the base of WordPress blog posts or articles. Once implemented, attackers can manipulate passwords, introduce new administrators, or execute nearly any action that legitimate administrators have the privilege to undertake. This spectrum of control extends to debilitating the website’s functionality or embedding malicious links to third-party sites.

The mechanics of the exploit hinge on the posting of straightforward JavaScript code as a comment, supplemented by an excessive amount of text—approximately 66,000 characters, amounting to over 64 kilobytes. Upon processing the comment by an individual logged in with WordPress administrator privileges, the malevolent code activates surreptitiously, with no discernible signs of an ongoing attack. It is pertinent to note that WordPress typically withholds the automatic publishing of comments to a post unless the user has previously secured approval from an administrator. To circumvent this constraint, hackers resort to posting an innocuous comment, which subsequently obtains approval. This paves the way for the automatic approval and publication of subsequent comments by the same user on the same post.

What’s next?

WordPress quickly reacted to this issue and released an urgent security update that addressed these problems.

Our recommendation would be to update WordPress to the latest version and keep updating WordPress and the third-party plugins on a weekly basis to prevent any infections. Backups should also be taken weekly and stored off the site for security reasons.

Need help?

Matrix Internet offers a support service for your website that would include all the best security practices and give you the peace of mind that you need. Contact us if you want to know more about these services and we will be happy to help.

Sources

arstechnica.com

Spread the love
Share