You can now find Cyber Kendra on Google News | Telegram

Zero-Day: Critical Persistent XSS in WordPress all version

Zero-Day: Critical Persistent XSS in WordPress all version, Critical Persistent XSS 0day in WordPress, WordPress 0day makes it easy to hijack millions of websites, WordPress 4.2 Stored XSS, Zero Day XSS Vulnerability in WordPress 4.2 Currently Being Patched,
Here is the another major security warning for all the WordPress users, that a critical Persistent XSS Zero-day vulnerability found in WordPress latest version. This is the newly discovered vulnerability that leave millions of the WordPress site under threat.

Security researcher "Jouko Pynnönen" from the Finland-based security firm Klikki Oy, have discovered the Critical Zero-day vulnerability affecting WordPress’ comment mechanisms. Attack code has been released that targets one of the latest versions of WordPress, making it a zero-day exploit that could touch off a series of site hijackings throughout the Internet.

We all know that WordPress site allows users to post comments via the WordPress commenting system, and if you have enabled the commenting system then your site is vulnerable to this Zero-Day Persistent Cross Site Scripting (XSS) attack. 

Vulnerability allow an attacker to inject code into the HTML content received by administrators who maintain the website. Attacks work by embedding malicious code into the comments section that appear by default at the bottom of a WordPress blog or article post.

The vulnerability is trigger as critical because the successful exploitation of the vulnerability allows the attackers to change the passwords, add new administrators, or take just about any other action legitimate admins can perform.

This could be the worst situation for all the WordPress users because, there is no patch available for this zero-day XSS vulnerability and vulnerability affects the latest version of WordPress too.

How It Works ?
The exploit works by posting some simple JavaScript code as a comment and then adding a massive amount of text—about 66,000 characters or more than 64 kilobytes worth. Once the comment is processed by someone logged in with WordPress administrator rights to the site, the malicious code will be executed with no outward indication that an attack is under way. By default, WordPress doesn't automatically publish comments to a post unless the user has already been approved by an administrator. Attackers can work around this limitation by posting a benign comment that gets approved. By default, subsequent comments from that person will be automatically approved and published to the same post.

Video Demonstration - POC
What to Do now?
As there is no Patch available at the meantime of the vulnerability, so it is recommended to all the administrator to disable the commenting system. To disable the commenting system, just follow this -Dashboard, Settings/Discussion, select as restrictive options as possible. 

Post a Comment

Cookie Consent
We serve cookies on this site to analyze traffic, remember your preferences, and optimize your experience.
It seems there is something wrong with your internet connection. Please connect to the internet and start browsing again.
AdBlock Detected!
We have detected that you are using adblocking plugin in your browser.
The revenue we earn by the advertisements is used to manage this website, we request you to whitelist our website in your adblocking plugin.
Site is Blocked
Sorry! This site is not available in your country.