NOTICE: Wordpress XSS Vulnerability

Tuesday, April 28, 2015

This information is intended for U-M IT staff who are responsible for a website that uses the WordPress content management system.

Summary

A critical vulnerability in the WordPress content management system could allow commenters to compromise a website. A patch is now available that fixes a cross-site scripting (XSS) vulnerability. WordPress.org recommends updating all sites immediately. Sites that support background updates will be automatically updated. Sites that do not have comments enabled are unaffected.

Threats

Proof of concept exploit code is currently available. Widespread exploitation is possible in the near future.

Affected Systems

Sites using the WordPress content management system version 4.2 and older, and that have comments enabled.

Action Items

  • Disable comments if your site does not need them.
  • Update to WordPress version 4.2.1 using one of the following methods:
    • If your site supports background updates, it will be updated automatically.
    • Update manually by visiting your site and clicking Dashboard, then Updates, then Update Now.
    • Download WordPress version 4.2.1 by visiting Download WordPress.

Technical Details

An attacker can store JavaScript in the comments of a WordPress site. The JavaScript is triggered when the comment is viewed. If a site administrator triggers the malicious script, the attacker could execute arbitrary code on the server using the plugin and theme editors, or make other changes as an administrator such as changing the administrator's password.