Experts at the Sucuri firm have discovered that any WordPress Plugin or theme that leverages the genericons package is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability due to an insecure file included with genericons.
The experts explained that among the vulnerable plugins there is the JetPack plugin, which have more than 1 million active installation, and the TwentyFifteen theme that comes by default.
Due to the large number of affected websites, Sucuri has reported the flaw to the hosting providers.
Any plugin that makes use of the genericons package is potentially vulnerable if it includes the example.html file that is normally included with the flawed package.
“We cannot forget one of the basic principles of security, in which we must maintain a pristine environment in production. This means we remove debug or test files before you move into production. In this case, Automattic and the WordPress team left a simple example.html file that had the vulnerability embedded,” states Sucuri.
The researchers explained that in order to exploit the DOM-based XSS vulnerability, bad actors need to trick the victim into clicking on an exploit link. Unfortunately, threat actors are already exploiting the DOM-based XSS vulnerability worldwide.
“What is interesting about this attack is that we detected it in the wild days before disclosure. We got a report about it and some of our clients were also getting reports saying they were vulnerable and pointing to:
http:// site.com/wp-content/themes/twentyfifteen/genericons/example.html#1<img/ src=1 onerror= alert(1)>
The good news is that it is quite easy to fix the DOM-based XSS vulnerability, it is enough to remove the “example.html” or block access any access to the file.
(Security Affairs – WordPress, DOM-based XSS vulnerability)