WordPress patches critical XSS vulnerability

Wordpress developer Automattic is urging users to urgently update their installations of the company's publishing platform to fix a critical vulnerability that could lead to attackers taking over entire sites.

Jouko Pynnönen of security vendor Klikki.fi discovered a cross-site scripting (XSS) flaw in WordPress that allows commenters to inject Javascript into sites.

When admin users check the comments to moderate them and execute the Javascript they contain attackers can gain full control of the target WordPress site through the plugin and theme editors.

The vulnerability takes advantage of the TEXT data type in the MySQL database that WordPress is built on being limited to 64 kilobytes in size.

A comment longer than 64Kb will be truncated, Pynnönen said, but results in malformed HTML being generated on the WordPress page.

"The attacker can supply any attributes in the allowed HTML tags, in the same way as with the two recently published stored XSS vulnerabilities affecting the WordPress core," he wrote.

Versions 3.9.3, 4.1.1, 4.1.2 and 4.2 of WordPress with MySQL 5.1.53 and 5.5.41 have been confirmed as vulnerable by Pynnönen who advised users running these to turn off comments until they have updated their sites.

Automattic said it pushed out the fix, contained in version 4.2.1, within hours of being made aware of the serious vulnerability.

Conversely, Pynnönen stated that the vendor "has refused all communications attempts about our ongoing security vulnerability cases since November 2014."

The 4.2.1 update is also being rolled out automatically for sites that support that version, Automattic said.

Pynnönen wrote that the XSS he found resembles another flaw that used an invalid character instead of a longer than 64kb comment, to truncate strings in MySQL.

The invalid character XSS flaw was discovered by researcher Cedric van Bockhaven and reported to Automattic in February last year. Although WordPress acknowledged the issue in March 2014 and sent an initial patch to van Bockhaven in May, the issue was not resolved until April this year.

Blogging platform and content management system WordPress is estimated to be used by around 75 million sites worldwide, serving 15.8 billion pages a month.