Simon Scannel, a researcher at RIPS Technologies GmbH has discovered a new flaw in the WordPress content management software (CMS) that has the potential to lead to remote code execution attacks.
WordPress is the most popular CMS in the world and is used by close to 75 million websites. It also powers more than 25% of the world’s websites. People use it to run their personal blogs and their company websites, and it has some major players using it. Global financial, business, and technology media company, Forbes, uses WordPress. We also use WordPress!
A CMS this popular and far-reaching is an attractive target to hackers who have the potential to gather large amounts of information or take control of websites.
The flaw could allow potential attackers to perform stored cross-site scripting (XSS) attacks through malicious comments on WordPress websites where the comments module is enabled. An attack could take over a website by luring a logged on administrator to visit a malicious website that contains an XSS payload.
A Hidden iFrame is then used to help the XSS payload to load and execute. This means an attacker, without authentication than execute arbitrary code and take over a WordPress website.
RIP Technologies Tweeted:
#WARNING: New critical #WordPress vulnerability found! It exists in WordPress versions prior to 5.1.1 and is exploitable with default settings by unauthenticated attackers to gain code execution. Make sure your WordPress is updated with today’s security release.
WordPress has released a fix for the flaw in patch 5.1.1 and thanked Simon Scannell for bringing it to their attention.
Props to Simon Scannell of RIPS Technologies who discovered this flaw independent of some work that was being done by members of the core security team. Thank you to all of the reporters for privately disclosing the vulnerabilities, which gave us time to fix them before WordPress sites could be attacked.
They also stated:
WordPress versions 5.1 and earlier are affected by these bugs, which are fixed in version 5.1.1. Updated versions of WordPress 5.0 and earlier are also available for any users who have not yet updated to 5.1.
If you are a WordPress user and haven’t updated the version you are running, we recommend that you do so with urgency. Although there is no evidence this flaw was exploited before it was discovered by Simon and their team, attacks may now be working on malicious code to target people who haven’t updated to the latest patch. In order to ensure you aren’t a victim, it is best to update.
You can download the update here. Alternatively, you can visit Dashboard > Updates and click Update Now.
Other highlights of this release include:
- Hosts can now offer a button for their users to update PHP.
- The recommended PHP version used by the “Update PHP” notice can now be filtered.
- Several minor bug fixes.
WordPress 5.1.1 was a short-cycle maintenance release. Version 5.1.2 is expected to follow a similar two-week release cadence.