WordPress has announced a security update to fix two vulnerabilities that could provide an attacker with the opportunity to completely take over the site. Among the vulnerabilities, the most serious involves a cross-site stored scripting (Stored XSS) vulnerability.
WordPress Store Scripting (XSS) security vulnerability
The WordPress XSS vulnerability was discovered by the WordPress security team inside WordPress core files.
A stored XSS vulnerability is one in which an attacker can upload a script directly to a WordPress website.
The locations of these types of vulnerabilities are usually anywhere a WordPress site allows input, such as submitting a post or contact form.
These input forms are usually protected by what is called sanitization. Sanitizing is simply a process of making an input accept only certain types of input, such as text, and rejecting (filtering) other types of input such as a JavaScript file.
According to Wordfencethe affected WordPress files perform the sanitization procedure in order to block malicious files from being uploaded.
But the order in which sterilization occurred created a situation where sterilization could be bypassed.
Wordfence provided this insight in the patch that fixes this vulnerability:
“The patched wp_filter_global_styles_post runs before wp_filter_post_kses so that any potential overrides have already been handled and wp_kses can effectively purge them.”
Often the reason an attacker is able to load a script is because there is an error in how the file is encoded.
When a website user with administrator privileges visits the exploited website, the malicious JavaScript file that is loaded is executed and, with that user’s admin level access, can do things like take over the site, create a new admin level account, and install backdoors.
A backdoor is a file/code that allows a hacker to access the backend of a WordPress site whenever they want with full access.
Exposure of the prototype to contamination
The second problem discovered in WordPress is called prototype contamination vulnerability. This type of vulnerability is a bug in the JavaScript (or JavaScript library) vs. the website.
This second problem is actually two problems that are both contamination vulnerabilities.
One of them is a contamination prototype caught in the Gutenberg wordpress/url package. This is a module within WordPress that allows a WordPress site to manipulate URLs.
For example, the Gutenberg wordpress/url package provides various functionality for query strings and does cleanup on the URL permalink to do things like convert uppercase letters to lowercase letters.
The second is jQuery’s prototype pollution vulnerability. This vulnerability has been fixed in jQuery 2.2.3.
Wordfence states that it is not aware of any exploit of this vulnerability and states that the complexity of exploiting this specific vulnerability makes it unlikely that it would be a problem.
A Wordfence vulnerability analysis concluded that:
“An attacker capable of successfully executing JavaScript in the victim’s browser could take over the site, but the complexity of the practical attack is high and would likely require the installation of a separate vulnerable component.”
How bad is the stored XSS vulnerability in WordPress?
This particular vulnerability requires a user with contributor-level access in order to have the level of permission necessary to load a malicious script.
So an additional step is needed of having to first obtain contributor level login credentials in order to proceed to the next exploit of the stored XSS vulnerability.
While the extra step may make it difficult to exploit the vulnerability, all that stands between relative security and a complete site takeover is the strength and complexity of the contributors’ passwords.
Update to WordPress 5.9.2
The latest WordPress version, 5.9.2, fixes two security-related issues and addresses one bug that could cause an error message to appear for sites using the Twenty Twenty Two theme.
The WordPress tracking card explains the error like this:
After activating an old default theme and then clicking to preview Twenty Twenty Two, it gave me an error screen with a gray background with a white notification box that said “The theme you are currently using is not compatible with full site editing.” “
The official WordPress announcement recommends that all publishers update their installation to WordPress 5.9.2.
Some sites may have automatic updates enabled and the sites are currently protected.
But this is not the case for all sites because many sites require someone with admin level access to approve and activate the update.
So it might be wise to log into your website and check to see if it’s currently using version 5.9.2.
If the website is not using version 5.9.2, the next steps to consider are to backup the website itself and then update to the latest versions.
However, some will add an extra layer of security by first updating a copy of the site on a staging server and reviewing the updated beta to make sure there are no conflicts with currently installed plugins and themes.
Usually, after an important WordPress update, plugins and themes may release updates to fix issues.
However, WordPress recommends that you update as soon as possible.
quotes
Read the official WordPress.org announcement
WordPress 5.9.2 Security and Maintenance Release
Read Wordfence’s explanation of vulnerabilities
WordPress 5.9.2 security update fixes XSS and prototype contamination vulnerabilities
Summary of the official WordPress 5.9.2 release
Check out the WordPress bug fix documentation
The live preview button shows the problem
Learn more about the WordPress Gutenberg URL pack
