WordPress Plugin Bug Puts Millions of Websites at Risk

Millions of websites running on the WordPress content management system are at risk of attack due to an actively exploited vulnerability.

Security firm Sucuri found that any WordPress Plugin or theme that leverages the genericons package – a series of vector icons embedded in a webfone – is vulnerable, including the JetPack plugin, installed on over 1 million websites, and the TwentyFifteen theme, which is installed in all new WordPress blogs by default.

In a blog post, Sucuri said the cross-site scripting (XSS) vulnerability resides in genericons, a package that’s part of a WordPress theme known as Twenty Fifteen that’s installed by default. The XSS vulnerability resides in the document object model or is ‘DOM based’, which is responsible for how text, headers, images and links are represented in the browser. The Open Web Application Security Project has more information about DOM-based vulnerabilities here.

The Hack.

DOM-based XSS attacks only work when the target clicks a malicious link, a limitation that greatly lowers their severity. Still, once a website administrator clicks on the link while logged into a vulnerable WordPress installation, the attackers can gain full control of the site.

A more technical write-up of the vulnerability is as follows:

“DOM-Based XSS is an XSS attack wherein the attack payload is executed as a result of modifying the Document Object Model (DOM) “environment” in the victim’s browser used by the original client side script, so that the client side code runs in an “unexpected” manner. That is, the page itself (the HTTP response that is) does not change, but the client side code contained in the page executes differently due to the malicious modifications that have occurred in the DOM environment.”

The Fix.

Administrators on a WordPress site are advised to check if it’s running the genericons package. If it is, the example.html file should be removed immediately if included within the package or at the very least, it should be ensured that a Web application firewall or intrusion detection system is blocking access to it.

Sucuri has proactively reached out to web hosts already to have them virtually patch the vulnerability. The following hosts are confirmed to include the virtual patch:

  • GoDaddy
  • HostPapa
  • DreamHost
  • ClickHost
  • Inmotion
  • WPEngine
  • Pagely
  • Pressable
  • Websynthesis
  • Site5
  • SiteGround

Websites hosted with one of the above listed hosts, are protected. For those websites that aren’t, Succuri recommends manually fixing the issue. The trick is to remove the example.html file from inside the genericons directory.