Four-year-old comment security bug affects 86 percent of WordPress sites

A Finnish IT company has uncovered a bug in WordPress 3 sites that could be used to launch a wide variety of malicious script-based attacks on site visitors’ browsers. Based on current WordPress usage statistics, the vulnerability could affect up to 86 percent of existing WordPress-powered sites.

The vulnerability, discovered by Jouko Pynnonen of Klikki Oy, allows an attacker to craft a comment on a blog post that includes malicious JavaScript code. On sites that allow comments without authentication—the default setting for WordPress—this could allow anyone to post malicious scripts within comments that could target site visitors or administrators. A proof of concept attack developed by Klikky Oy was able to hijack a WordPress site administrator’s session and create a new WordPress administrative account with a known password, change the current administrative password, and launch malicious PHP code on the server. That means an attacker could essentially lock the existing site administrator out and hijack the WordPress installation for malicious purposes.

“For instance, our [proof of concept] exploits first clean up traces of the injected script from the database,” the Klikki Oy team wrote in a blog post on the vulnerability, “then perform other administrative tasks such as changing the current user's password, adding a new administrator account, or using the plugin editor to write attacker-supplied PHP code on the server (this impact applies to any WordPress XSS if triggered by an administrator). These operations happen in the background without the user seeing anything out of the ordinary. If the attacker writes new PHP code on the server via the plugin editor, another AJAX request can be used to execute it instantaneously, whereby the attacker gains operating system level access on the server.”

The current version of WordPress (version 4.0), which was released in September, is not vulnerable to the attack. However, WordPress issued a security update to version 4.0 last week to address unrelated cross-site scripting issues.

WordPress users endangered by Trojanized plugins

Three popular WordPress plugins have been Trojanized by unknown individuals and made available for download, warned WordPress yesterday.

"Earlier today the WordPress team noticed suspicious commits to several popular plugins (AddThis, WPtouch, and W3 Total Cache) containing cleverly disguised backdoors," explained Matt Mullenweg. "We determined the commits were not from the authors, rolled them back, pushed updates to the plugins, and shut down access to the plugin repository while we looked for anything else unsavory."

If you use the WordPress platform and have updated one of these plugins in the past two days, you are at risk. You have to upgrade them again - WordPress has pushed out their new, safe versions.

Also, if you have an account on WordPress.org, bbPress.org and/or BuddyPress.org, don't be surprised to find a reset password message the next time you login into your account.

Cyber Attack Compromises 18 Million WordPress Blogs

Bad news for just about every blogger out there. It seems WordPress, an extremely popular suite of tools for powering blogs, has been the victim of a cyber attack. Automattic, the company that owns WordPress, admitted to the attack this morning and noted that it may have left over 18 million blogs vulnerable.

WordPress founder Matt Mullenweg writes “Tough note to communicate today: Automattic had a low-level (root) break-in to several of our servers, and potentially anything on those servers could have been revealed.”

Mullenweg continues “We have been diligently reviewing logs and records about the break-in to determine the extent of the information exposed, and re-securing avenues used to gain access. We presume our source code was exposed and copied. While much of our code is Open Source, there are sensitive bits of our and our partners’ code. Beyond that, however, it appears information disclosed was limited.”

Analysts, including Alexia Tsosis of TechCrunch, have suggested that Mullenweg is downplaying the issue. She indicates that everything from Facebook and Twitter passwords to API keys could have been leaked.

So what does this mean to you? Probably nothing. There is a lot of information out there and the chances of your passwords being nabbed are slim. Still, it is about time you get them changed right? You’ve been using the same two passwords since High School and if you haven’t formed that band by now you probably are never going to. Wait, maybe that’s just me.

WordPress Hit By Multigigabit DDoS Attack

WordPress.com has been targeted by an extensive DDoS attack, and the millions of blogs it hosts have been temporarily unavailable or have been experiencing occasional disruptions because of it.

The news comes from Graham Cluley, one of Sophos' security consultants, who got the confirmation directly from Automattic (the company behind WordPress.com).

"Sophos's Naked Security site runs on the VIP version of the WordPress.com platform, and our writers have had some difficulties posting today because of this disruption," he says and shares the information sent to him:

• The size of attack reached multiple Gigabits per second and tens of millions of packets per second
• Automattic workes with its upstream providers in order to establish defense measures
• The attack impacted all three of their datacenters in Chicago, San Antonio, and Dallas

"This is the largest and most sustained attack we've seen in our 6 year history. We suspect it may have been politically motivated against one of our non-English blogs but we're still investigating and have no definitive evidence yet," said Matt Mullenweg, WordPress.com and Automattic founder.

WordPress 3.0.4 critical security update

Version 3.0.4 of WordPress is a very important update to apply to your sites as soon as possible because it fixes a core security bug in our HTML sanitation library, called KSES.


Certain unspecified input is not properly sanitized in the KSES library before being displayed to the user, according to Secunia.

This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in the context of an affected site when the malicious data is being viewed.

This is a critical release, available immediately through the update page in your dashboard or for download here.

Firefox extension makes social network ID spoofing trivial

A simple-to-use Firefox plugin presented yesterday at Toorcon in San Diego has hit the security world with the realization that squabbles about Facebook's changing privacy settings and various privacy breaches simply miss the point.

"When it comes to user privacy, SSL is the elephant in the room," said Eric Butler, the developer of the extension in question, dubbed Firesheep. By installing and running it, anyone can "sniff out" the unencrypted HTTP sessions currently allowing users on that network segment to access social networks, online services and other website requiring a login, and simply hijack them and impersonate the user.


"As soon as anyone on the network visits an insecure website known to Firesheep, their name and photo will be displayed," explains Butler. "Double-click on someone, and you're instantly logged in as them."

It is not that this was impossible to do before the advent of Firesheep, but it included the use of some knowledge that average Internet users didn't have. "Websites have a responsibility to protect the people who depend on their services. They've been ignoring this responsibility for too long, and it's time for everyone to demand a more secure web. My hope is that Firesheep will help the users win," says Butler.

Whether he will succeed in pointing out the need of full end-to-end encryption and spur websites into action, it remains to be seen. Among the websites whose cookies Firesheep can identify are Facebook, Flickr, Amazon.com, bit.ly, Google, Twitter, Yahoo, WordPress, and many others.

As I write this, the extension has been downloaded some 8,000 times, and the number is rising by the second. Wouldn't it be amazing that an action such as this could bring about the realization of a more secure Internet?

WordPress users under attack

WordPress-based websites have once again become the target of attacks. This time around, the hacked websites are hosted by various ISPs: DreamHost, GoDaddy, Media Temple and Bluehost, and there are also rumors floating around that other PHP-based platforms could also have been affected.

The H Security reports that it is still unknown which security hole has been exploited to launch the attack, which infects the websites with malicious scripts that allow fake AV to be installed on the systems of people who visit the sites in question. To avoid detection, the malware prevents some browsers (Firefox and Google Chrome) from alerting potential visitors about the malicious nature of the website.

Speculations about the possible invulnerability of the sites running the latest version of WordPress have been shot down by David Dede at Sucuri Security's blog, who offers a few likely theories about how the sites were compromised:

• Stolen FTP/WP password
• Bug on Wordpress
• Bug on some Wordpress plugin
• Brute force attack against the passwords.

He also offers a simple cleanup solution for the owners of infected websites.

A similar attack has been detected today on websites hosted by Go Daddy. WPSecurityLock has received a statement from the IPS, in which it says that "they have identified and are working with the provider and hosting company from where the attacks are originating" and that they are "close to breaking additional details related to recent malware attacks."

WordPress hacked, affected blogs point to malware site

A throng of blogs have been compromised and are pointing readers to a malicious website containing scripts that lead to a Trojan that drops and executes other malicious files.

The origin of the attack can be found in a WordPress hack and a virus that - according to Tech Cocktail - "infiltrates WordPress and adds a new file in your scripts directory called jquery.js and then inserts that file into the header or footer files of your site. It also inserts an iFrame that calls a 3rd party site which is known for malware or other malicious activities."

Users who's blogs have been hacked are advised to contact WordPress for help and to provide information that can help them devise a fix as soon as possible.

Most of the affected blogs are hosted by Network Solutions, which says that event the users using the latest version (2.9.2) of the blogging platform are affected.

They also reacted pretty quickly and put a fix in place that requires no action by most customers. The exception are those that have custom code with manually-embedded database passwords, in which case they will have to change them.

WordPress Password Problem Crops Up

People who use version 2.8.3 of the WordPress blogging software may want to download an update posthaste. A vulnerability's been discovered that, while it won't let other folks take over accounts, will allow troublemakers to lock out administrators.

Laurent Gaffié gets credit for uncovering the problem, and according to a warning published on Full Disclosure, this hack isn't the domain of shadowy professionals and government agents. About all that's needed in order to pull it off is a Web browser and one special URL.

Then, it's possible to mess with the WordPress password reset function, resetting passwords without the admin ever getting any notice of the action.

You can imagine how this would prove problematic if an administrator couldn't figure out what was going on. And even if an admin did catch on, a prankster could probably manage to repeat the performance over and over, creating a real headache or even permanent roadblock.

Luckily, version 2.8.4 of WordPress has been made available in response, and it addresses the issue. So get to downloading the update as soon as seems convenient for the sake of not getting locked out of your blog.