WordPress zero day makes it easy to hijack millions of websites

WordPress zero day exploit lets hackers gain administrative control without authorisation

Security researchers from Finland-based security firm Klikki Oy have discovered two new flaws in the WordPress content management system which allow potential attackers to take full administrative control of the website sans any authorisation. WordPress which is used by millions of websites was quick to issue a security patch today, after the flaws were made public.

However those websites who dont update their WordPress version are still susceptible to the zero day exploit.  Both vulnerabilities are known as stored, or persistent, cross-site scripting (XSS) bugs. They allow an attacker to inject code into the HTML content received by administrators who maintain the website.

As with many of the previous WordPress vulnerabilities, both the new attacks work when  hackers embed a specially crafted comment in the article post.

Once the comment is embedded, the hackers can change passwords, add new administrators, or take just about any other action legitimate admins can perform.

“If triggered by a logged-in administrator, under default settings the attacker can leverage the vulnerability to execute arbitrary code on the server via the plugin and theme editors,” Jouko Pynnönen, a researcher with Finland-based security firm Klikki Oy, wrote in a blog post published Sunday evening. “Alternatively the attacker could change the administrator’s password, create new administrator accounts, or do whatever else the currently logged-in administrator can do on the target system.”

The exploit works by posting some simple JavaScript code as a comment and then adding a massive amount of text—about 66,000 characters or more than 64 kilobytes worth. Once the comment is processed by someone logged in with WordPress administrator rights to the site, the malicious code will be executed with no outward indication that an attack is under way.

Most of such comments are not published by WordPress unless the user is approved by the administrator. Hackers can however, work around this limitation by posting a innocuous comment at the first time and after its approval can post this specially crafted comment. By default, subsequent comments from that person will be automatically approved and published to the same post.

Proof-of-Concept

The proof of concept video is give below :

Ars Technica reported that the attack is similar to one disclosed last week by researcher Cedric Van Bockhaven. WordPress users should immediately apply the patch/update to the latest version. Installing Askimet plugin for sifting through malicious comments or disabling comments altogether is another way of safeguarding your website.