Last month, a Finnish IT company by the name of Klikki Oy identified a critical vulnerability in WordPress – one which has been present in the platform for approximately four years. It allows attackers to enter comments which include malicious JavaScript. Once the script in these comments is executed, the attacker could then do anything from infecting the PCs of visitors to completely hijacking the website; locking the original administrator out of their account.
“Program code injected in comments would be inadvertently executed in the blog administrator’s web browser when they view the comment,” explained security expert Jouko Pynonnen. “The rogue code could then perform administrative operations by covertly taking over the administrator account. Such operations include creating a new administrator account, changing the current administrator password and, in the most serious case, executing attacker-supplied PHP code on the server. This grants the attacker operating-system-level access on the hosting server.”
Yeah, it’s pretty bad.
Believe it or not, it actually gets a whole lot worse. According to Ars Technica, the exploit could, based on current usage statistics, affect upwards of 86% of WordPress-powered websites. The good news is that WordPress has already issued an update which patches out this vulnerability along with several other, unrelated bugs. It’s also worth mentioning that WordPress 4.0, released in September, is also invulnerable to the attack.
Version 4.0 can be downloaded here; 4.01 here – I’d advise installing one of them as soon as humanly possible.
Of course, for many websites, that might not be an option. Upgrading immediately might mean sacrificing functionality on a number of critical plugins, many of which might not be compatible with the new version. So…assuming you can’t immediately apply the patch to your WordPress server, how can you make sure you’re still protected?
There are a few methods.
First and foremost, Klikki reports that Akismet’s comment plugin is able to filter any comments attempting to make use of the exploit. For websites that don’t use Akismet, Klikki has released a plugin of its own; one which neuters the exploit by disabling texturization (something you could also do manually, with a PHP workaround). Finally – and this may not be an ideal solution either – you might consider disabling comments altogether until you can patch your site.
After all, attackers can’t exploit a feature that doesn’t exist, right?
By far, this is the biggest security vulnerability that’s been revealed in WordPress in years. The ability to lock an administrator out of their website with a few pieces of code isn’t something to be taken lightly. As such, this isn’t something you can afford to ignore – if you want to keep your website safe, secure, and completely under your control, you need to take action.
Trust me – you’ll sorely regret it if you don’t.
Image: Flickr/Marina Shemesh
