Researchers have offered more detail on a recently patched vulnerability that would allow an attacker to take over a WordPress site using something as simple as a maliciously crafted comment.
Discovered by RIPS Technologies, the flaw is a cross-site request forgery (CSRF) flaw that exists on any site running version 5.1 or earlier with default settings and comments enabled.
The problem at the heart of this flaw is the problem of how WordPress protects itself (or rather, doesn’t) from CSRF-based takeovers in comments.
CSRF attacks happen when an attacker hijacks an authenticated user session so that the malicious instructions appear to come from that user’s browser.
In the case of the latest flaw, all the attacker has to do is lure a WordPress admin to a malicious website serving a cross-site scripting (XSS) payload.
Websites defend themselves against CSRF in different ways, but the complexity of the task means there are always cracks attackers can slip through.
The full sequence is somewhat involved but, if executed, would be bad news.
Writes RIPS Tech’s Simon Scannell:
As soon as the victim administrator visits the malicious website, a CSRF exploit is run against the target WordPress blog in the background, without the victim noticing. The CSRF exploit abuses multiple logic flaws and sanitization errors that when combined lead to Remote Code Execution and a full site takeover.
What to do
The solution is to update WordPress to version 5.1.1, which appeared on 12 March with a fix for this flaw. If auto-updating is not turned on, it’s the usual drill: visit Dashboard > Updates and click Update.
A more extreme solution would be to disable comments entirely while remembering to log out of WordPress admin before visiting other websites.
You can see a related example of this class of attack in a recently patched CSRF flaw affecting Facebook.
Anonymous
It is confusing that this article both states “… features such as trackbacks and pingbacks would break if there was any validation.” and that the fix is simply updating. That must mean trackbacks and pingbacks no longer work.
Paul Ducklin
We simplified it a bit to avoid the confusion – thanks for the comment.
Anonymous
Is it possible to know how v5.1.1 works in order to fix the XSS vulnerability? What’s new in this version?
PJ Brunet
Can you clarify if this affects regular comments or registered-user comments? 99.9% of these problems are avoided by not allowing user registrations. Matt Mullenweg should never have allowed public user registrations. This is an architectural flaw from day 1 and over and over again this comes up. Matt needs to close this ‘feature’ for good. Random people should be blocked from registering, simple as that. If you want public registrations for comments, build a SEPARATE interface for them that is locked down with no chance to upgrade privileges. This problem was plain to see in 2004. Here we are in 2019 and it’s still not fixed?
MUHAMMAD DENNES
Whether this method will not affect SEO?