Earlier this week a security researcher reported a cross site scripting vulnerability, also known as an XSS vulnerability, in the WordPress icon package, Genericons. Genericons is an icon package that was used with the default-installed WordPress theme, Twenty Fifteen. Genericons included an HTML file, named example.html, which actually had the cross site scripting flaw.
The XSS vulnerability was DOM, or document object model, based meaning it could potentially control how the browser handles a requested page. The victim would have to be coaxed into clicking a malicious link, reducing severity, though the exploit remains widely deployed all the same.
The attack is carried out by the attacker crafting a link to the vulnerable example.html file including malicious JavaScript, and persuading a victim to click the link. The server responds to the request, serving the page with crafted code. The browser then runs the code in the DOM object of the page, performing any number of malicious actions. Logged-in admins, as you can imagine, would be vulnerable to site takeover.
First, don’t worry.
Even though the exploit is run directly in the browser, SiteLock TrueShield customer sites are patched virtually against the exploit. Plus, further extension of an attempted attack will be caught by the TrueShield WAF or the SiteLock SMART scanner if malicious code makes it on the site.
Next, update WordPress to the latest version released yesterday, 4.2.2. Most WordPress installations will update automatically, though we recommend backing up your database and site files all the same. You can also remove the example.html file or files which will remove the vulnerability without impact to the site.
(It’s a good idea to remove example, test, and development files from a production site anyway. Run a ‘$ sudo find / -name example.html’ to find and review all files named example.html.).
For more information on how to search through files on your website, check out this article by SiteLock president, Neill Feather, How To Look For Malware In Your Website Files.
WordPress is a powerful, yet simple to use CMS ideal for many blogs, portfolio or e-commerce sites. The widespread adoption and scrutiny of WordPress’ code base is an absolute positive, and SiteLock’s security products work in perfect conjunction with WordPress’ growth.
Stay tuned to The SiteLock Blog for the latest in WordPress and internet security. If you are not already a SiteLock customer and would like to learn more about our website security packages give us a call at 855.378.6200 or check out our plans page.