• About Us
  • Contributors
  • Guides
  • Speaking Engagements
  • Write for The SEM Post
  • Submit a tip or contact us!
  • Newsletters

The SEM Post

Latest News About SEO, SEM, PPC & Search Engines

  • Google
  • SEO
  • Mobile
  • Local
  • Bing
  • Pay Per Click
  • Facebook
  • Twitter
  • State of the Industry
You are here: Home / Wordpress / Wordpress XSS Unpatched Zero Day Exploit Discovered; Disable Comments Immediately

WordPress XSS Unpatched Zero Day Exploit Discovered; Disable Comments Immediately

April 27, 2015 at 10:08 am PST By Jennifer Slegg

  • Facebook
  • Twitter
  • Google+
  • Pinterest
  • LinkedIn
  • Email
  • WhatsApp
  • Evernote
  • SMS

wordpress exploit commentsA new exploit in WordPress was disclosed today, revealing that an XSS attack can be made through comments on a WordPress blog.

There are examples of hackers attempting to exploit this in the wild, so the threat is definitely a significant one to webmasters who allow commenting through WordPress.

From the Sucuri Blog:

If your WordPress site allows users to post comments via the WordPress commenting system, you’re at risk. An attacker could leverage a bug in the way comments are stored in the site’s database to insert malicious scripts on your site, thus potentially allowing them to infect your visitors with malware, inject SEO spam or even insert backdoor in the site’s code if the code runs when in a logged-in administrator browser.

You should definitely disable comments on your site until a patch is made available or leverage a WAF to protect your site and customers.

Bottom line, you should disable comments immediately on all blogs until a patch has been released by WordPress.   It isn’t known when it will be released but it has been reported they are aware and are working on a patch.

Akismet is reportedly catching these comments and flagging them as spam, however site owners will want to be very careful that the code in the comment isn’t activated accidentally.

If you need to disable comments, it can be easier said than done, since you can’t easily disable comments retroactively.  Here is how to temporarily (or permanently) disable comments from both older posts and from new ones.

Usually, exploits this significant tend to be reported on after companies have the opportunity to patch the security issue in a timely manner, something we have seen happen multiple times recently.  But in this case, there seems to be an issue between the discoverer of the exploit, Klikki and WordPress, as WordPress seemingly refused all communication with the company that discovered it.  This appears to be the reason why the exploit was disclosed publicly before a patch was released.

WordPress has refused all communication attempts about our ongoing security vulnerability cases since November 2014. We have tried to reach them by email, via the national authority (CERT-FI), and via HackerOne. No answer of any kind has been received since November 20, 2014. According to our knowledge, their security response team have also refused to respond to the Finnish communications regulatory authority who has tried to coordinate resolving the issues we have reported, and to staff of HackerOne, which has tried to clarify the status our open bug tickets.

Klikki Oy also released a video of the attack in action.

So disable those comments to be safe and make sure you update your WordPress as soon as the patch becomes available.

Update 4/27/15 11:40 PST: WordPress has now released a patch.  If you have auto-updates enabled it will update for you, although you can update manually immediately.  Those who do not have auto-updates will need to do it manually.

  • Facebook
  • Twitter
  • Google+
  • Pinterest
  • LinkedIn
  • Email
  • WhatsApp
  • Evernote
  • SMS
The following two tabs change content below.
  • Bio
  • Latest Posts
My Twitter profileMy Facebook profileMy Google+ profileMy LinkedIn profile

Jennifer Slegg

Founder & Editor at The SEM Post
Jennifer Slegg is a longtime speaker and expert in search engine marketing, working in the industry for almost 20 years. When she isn't sitting at her desk writing and working, she can be found grabbing a latte at her local Starbucks or planning her next trip to Disneyland. She regularly speaks at Pubcon, SMX, State of Search, Brighton SEO and more, and has been presenting at conferences for over a decade.
My Twitter profileMy Facebook profileMy Google+ profileMy LinkedIn profile

Latest posts by Jennifer Slegg (see all)

  • New Google Quality Rater Guidelines, Update Adds Emphasis on Needs Met - October 16, 2020
  • Google Updates Experiment Statistics for Quality Raters - October 6, 2020
  • Analyzing “How Google Search Works” Changes from Google - July 8, 2020
  • Google Quality Rater Guidelines Update: New Introduction, Rater Bias & Political Affiliations - December 6, 2019
  • Google Updates Quality Rater Guidelines: Reputation for News Sites; Video Content Updates; Quality for Information Sites - September 13, 2019

Filed Under: Wordpress

Sign up for our newsletter


Founder & Editor

Jennifer Slegg (2049)

Sign up for our daily news recap & weekly newsletter.


Follow us online

  • Facebook
  • Google+
  • Linkedin
  • Pinterest
  • Twitter

Latest News

New Google Quality Rater Guidelines, Update Adds Emphasis on Needs Met

Google has released a brand-new Google quality rater guidelines, coming close to a year after the … [Read More...]

Recent Posts

  • New Google Quality Rater Guidelines, Update Adds Emphasis on Needs Met
  • Google Updates Experiment Statistics for Quality Raters
  • Analyzing “How Google Search Works” Changes from Google
  • Google Quality Rater Guidelines Update: New Introduction, Rater Bias & Political Affiliations
  • Google Updates Quality Rater Guidelines: Reputation for News Sites; Video Content Updates; Quality for Information Sites
  • Google Makes Major Changes to NoFollow, Adds Sponsored & UGC Tags
  • Google Updates Quality Rater Guidelines Targeting E-A-T, Page Quality & Interstitials
  • Google Local Service Ads Display Pricing Estimates for Specific Locations
  • Google Testing “Relevant History” Section in Mobile Search Results
  • Google Converts PDFs, DOCs, XLS etc into HTML for Indexing

Categories

  • Affiliate Marketing
  • Amazon
  • Apple
  • Bing
  • Branding
  • Browsers
  • Chrome
  • Content Marketing
  • Design
  • Domains
  • DuckDuckGo
  • Email
  • Facebook
  • Firefox
  • Foursquare
  • Google
    • Analytics
    • Google RankBrain
    • Quality Rater's Guidelines
  • History of Search
  • Industry Spotlight
  • Instagram
  • Internet Explorer
  • Links
  • Local
  • Mobile
  • Native Advertising
  • Other Search Engines
  • Pay Per Click
  • Pinterest
  • Publishers
  • Security
  • SEO
  • Snapchat
  • Social Media
  • State of the Industry
  • The SEM Post
  • Tools
  • Twitter
  • Uncategorized
  • User Experience
  • Video Marketing
  • Week in Review
  • Whitepapers
  • Wordpress
  • Yahoo
  • Yelp
  • YouTube
February 2021
MTWTFSS
« Oct  
1234567
891011121314
15161718192021
22232425262728

Meta

  • Log in
  • Entries RSS
  • Comments RSS
  • WordPress.org

Copyright © 2021 · News Pro Theme On Genesis Framework · WordPress · Log in