Languagesx
English Deutsch
Subscribe
Home New Security Flaw Allows Attackers to Hijack WordPress Sites

New Security Flaw Allows Attackers to Hijack WordPress Sites

If you’re a WordPress user, you’ll want to update your site with a critical security release. That’s because a new zero-day vulnerability, discovered by Jouko Pynnönen of the Finnish security firm Klikki Oy, allows attackers to gain administrative control of WordPress sites. 

The exploit, known as a cross-site scripting (XSS) bug, involves leaving a long comment (over 64 kb) with malicious JavaScript that a logged-in administrator can trigger simply by viewing the comment. Bad things can then happen, according to Klikki Oy:

If triggered by a logged-in administrator, under default settings the attacker can leverage the vulnerability to execute arbitrary code on the server via the plugin and theme editors.

Alternatively the attacker could change the administrator’s password, create new administrator accounts, or do whatever else the currently logged-in administrator can do on the target system.

According to Klikki Oy, another security researcher, Cedric Van Bockhaven, reported a similar WordPress flaw in 2014, although it was only patched this week.

Matt Mullenweg, who is both the lead developer of WordPress and founder and CEO of its parent company Automattic, released the following official statement by email (no link):

It is a core issue, but the number of sites vulnerable is much smaller than you may think because the vast majority of WordPress-powered sites run [the anti-spam plugin] Akismet, which blocks this attack.

However, many WordPress-powered sites do not run Akismet, which now costs $5 to $9 a month for commercial sites and $50/month for enterprise sites. (Automattic did not immediately respond to request for the percentage of users who use the plugin).

[Update: Mullenweg stated in an April 28 email that the number of Akismet users is “more than it has ever been, and [we] can say it’s the vast majority of WP sites.”]

WordPress is pushing out the security patch via auto-update, so that will protect many users—at least those who have auto-update enabled—even if they don’t use Akismet.

Lead image by Sean MacEntee

About ReadWrite’s Editorial Process

The ReadWrite Editorial policy involves closely monitoring the tech industry for major developments, new product launches, AI breakthroughs, video game releases and other newsworthy events. Editors assign relevant stories to staff writers or freelance contributors with expertise in each particular topic area. Before publication, articles go through a rigorous round of editing for accuracy, clarity, and to ensure adherence to ReadWrite's style guidelines.

tags

Related News

A stunning 3D render of a detailed map of Europe, characterized by intricate lines of connectivity crisscrossing the entire continent. The map is rendered in a muted color palette, with distinct shades of green, brown, and gray for landmasses, and a vibrant blue for bodies of water. The connectivity lines, shimmering with a subtle glow, highlight the interconnectedness of cities, countries, and regions, symbolizing the flow of people, ideas, and commerce.,
Small browser companies like DuckDuckGo and Ecosia see user surge in Europe
Sophie Atkinson
AI inspired image of Reddit IPO on Wall Street / Reddit shares rise 11% in just one day since options launch for IPO
Reddit striving for $6.4 billion valuation in upcoming IPO
Graeme Hanna
Microsoft updating
Microsoft Edge users report serious issues following recent update
Rachael Davies
Twitch confirms first ever subscription price increases
Twitch confirms first ever subscription cost increases, US set to follow
Graeme Hanna
Safer Internet Day
Safer Internet Day: Why it matters now more than ever
Charlotte Colombo

Most Popular Tech Stories

Latest News

Baldur's Gate 3's new patch will allow for moderation of the game’s features, including stats, music, and visuals
Gaming

Baldur's Gate 3's latest patch brings more mod support and tools
Brian-Damien Morgan11 hours

Larian Studios has announced that a new Baldur's Gate 3 patch will allow for moderation of the game’s features. Announced in a detailed Steam Community Update post titled “Evil Endings,...

Popular TopicsArrow right.svg

AI
AI
AR / VR
AR / VR
Cryptocurrency
Cryptocurrency
Gaming
Gaming
Smartphone
Smartphone
Gambling
Gambling
Wearables
Wearables
Web
Web

Get the biggest tech headlines of the day delivered to your inbox

    By signing up, you agree to our Terms and Privacy Policy. Unsubscribe anytime.

    Tech News

    Explore the latest in tech with our Tech News. We cut through the noise for concise, relevant updates, keeping you informed about the rapidly evolving tech landscape with curated content that separates signal from noise.

    In-Depth Tech Stories

    Explore tech impact in In-Depth Stories. Narrative data journalism offers comprehensive analyses, revealing stories behind data. Understand industry trends for a deeper perspective on tech's intricate relationships with society.

    Expert Reviews

    Empower decisions with Expert Reviews, merging industry expertise and insightful analysis. Delve into tech intricacies, get the best deals, and stay ahead with our trustworthy guide to navigating the ever-changing tech market.