Experts at the Sucuri firm have discovered that any WordPress Plugin or theme that leverages the genericons package is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability due to an insecure file included with genericons.
The experts explained that among the vulnerable plugins there is the JetPack plugin, which have more than 1 million active installation, and the TwentyFifteen theme that comes by default.
Due to the large number of affected websites, Sucuri has reported the flaw to the hosting providers.
Any plugin that makes use of the genericons package is potentially vulnerable if it includes the example.html file that is normally included with the flawed package.
“We cannot forget one of the basic principles of security, in which we must maintain a pristine environment in production. This means we remove debug or test files before you move into production. In this case, Automattic and the WordPress team left a simple example.html file that had the vulnerability embedded,” states Sucuri.
The researchers explained that in order to exploit the DOM-based XSS vulnerability, bad actors need to trick the victim into clicking on an exploit link. Unfortunately, threat actors are already exploiting the DOM-based XSS vulnerability worldwide.
“What is interesting about this attack is that we detected it in the wild days before disclosure. We got a report about it and some of our clients were also getting reports saying they were vulnerable and pointing to:
http:// site.com/wp-content/themes/twentyfifteen/genericons/example.html#1<img/ src=1 onerror= alert(1)>
The good news is that it is quite easy to fix the DOM-based XSS vulnerability, it is enough to remove the “example.html” or block access any access to the file.
(Security Affairs – WordPress, DOM-based XSS vulnerability)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.