Ars Technica reports that the discovery was made by Finland-based security research firm Klikki Oy. The exploit is present in the latest version of WordPress (4.2) and there is currently no patch available.
Known as a cross-site scripting (XSS) bug, the issue is similar to one found last November by security researcher Cedric Van Bockhaven and is centred around the WordPress comments system.
To leverage the potential of the bug, all an attacker has to do is paste some malicious JavaScript code into the comments section on a page on any WordPress blog. The comment must then be padded with around 66,000 characters of text, generating a total comment size of 64 kilobytes.
At this point, the comment is larger than the WordPress database can accept. When the attacker saves the comment, the database will truncate the contents and display malformed HTML onto the webpage.
This will include the malicious JavaScript specified by the attacker. There will be no indication that anything abnormal is occurring but at this point the attackers have the power to execute any code they like on the web server.
By default, WordPress requires administrators to approve comments from new users before they are saved and the exploit does not work unless the attacker’s comment is approved.
This can be easily worked around though — all the hijacker has to do is post an innocent comment on the site, get it approved and then post the malicious one. As a previous comment was already accepted, WordPress will automatically approve the malicious one and the code will be executed.
Once access has been acquired, the attacker has access to every admin feature available on the site. They can change passwords, add new administrator accounts to sign themselves in with, create new pages with embedded malicious code, install dodgy third-party plugins or change the theme of the site. In short, it is entirely plausible that the attacker could gain complete control of the site by locking the real administrators out.
Kliiki Oy has published a video that shows the proof-of-concept attack in progress. WordPress has currently refused all communication with the firm and there is no word on when a patch is incoming. WordPress site administrators should disable comments unless they are absolutely required or enforce mandatory manual approving of every comment by all users.
[UPDATE 27/04/2015 21:28GMT]
WordPress has now acknowledged the issue and patched it in a new critical security release. WordPress 4.2.1 is rolling out as an automatic background update to supported sites now and can be started manually by administrators from the “Updates” section of the WordPress dashboard.
The vulnerability no longer exists in 4.2.1 but can still be exploited on sites running older WordPress versions. Additionally, the update process to 4.2.1 will scan existing comments and remove any suspicious ones that may have been hijacked by attackers. Administrators are encouraged to update their sites to WordPress 4.2.1 as soon as possible to guard against malicious code injection.
