Welcome to WebmasterWorld Guest from 54.242.115.55

Forum Moderators: open

WordPress XSS vulnerability -what you should know

     
9:37 pm on Mar 14, 2019 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member tangor is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 29, 2005
posts:9233
votes: 780


A newly revealed vuln in the open-source CMS WordPress allows an unauthenticated website attacker to remotely execute code potentially letting naughty folk delete or edit blog posts.

The flaw, detailed by German code-checking company RIPS Technologies in a blog post, can be exploited "by tricking an administrator of a target blog to visit a website set up by the attacker" in order to activate a cross-site request forgery exploit.
[theregister.co.uk...]
As always, be up to date and current on installs and patches!
10:06 pm on Mar 14, 2019 (gmt 0)

Administrator from US 

WebmasterWorld Administrator not2easy is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Dec 27, 2006
posts:4198
votes: 264


That's good to know, but there isn't anything to patch, the article warns of an exploit not likely to affect security conscious admins:
The attack relies on a) the target site having comments enabled, and b) the site admin being oblivious enough to click a dodgy link, however the attacker presents it to them. Security-aware folk are unlikely to be affected by this.
10:20 pm on Mar 14, 2019 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member tangor is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 29, 2005
posts:9233
votes: 780


Or ... as the article continues:

To avoid this rather convoluted vuln, WordPress admins should ensure their installs are patched to version 5.1.1, or, failing that, disable comments until the core site can be patched.


Agreed that admins might cause the problem ... but having the latest install would obviate that.

YMMV