“An attacker could exploit the vulnerability by entering carefully crafted comments, containing program code, on WordPress blog posts and pages. Under default settings comments can be entered by anyone without authentication (login),” Klikki Oy said in a press release. “Program code injected in comments would be inadvertently executed in the blog administrator’s web browser when they view the comment. The rogue code could then perform administrative operations by covertly taking over the administered account.”
A proof-of-concept published by the company shows that an attacker can exploit the vulnerability to create new administrator accounts, change the password of the current administrator, and execute arbitrary PHP code on the server.
“Exploitability without login, under default settings, and the server-side impact make this probably the most serious WordPress core vulnerability that has been reported since 2009,” Klikki Oy said.
Technical details on the critical XSS vulnerability are available in an advisory published by the Finnish company on November 20.
Millions of WordPress sites around the web are being updated to 4.0.1 right now and older releases will be updated to 3.9.3, 3.8.5, or 3.7.5, as outlined in Andrew Nacin’s security release announcement. If you don’t want to wait for the automatic update, you can always go to Dashboard → Updates in the admin and update immediately.
The security update also fixes 23 flaws from the WordPress 4.0 version among others.
Read Full article at SECURITYWEEK