Upgrade your wordpress sites to latest version of 5.1.1, before any hacker takes advantage of remote code execution vulnerability to take control of your sites and blogs.
Simon Scannell a researcher from RIPS Technologies GmbH , known for disclosing multiple vulnerabilities in wordPress in past, has now revealed new RCE vulnerability.
“Considering that comments are a core feature of blogs and are enabled by default, the vulnerability affected millions of sites,” Scannell said.
This flaw was reported in october last year by Scannell in response to which wordpress addressed this issue with an additional nonce for administrators in comment forum, instead enabling CSRF protection directly.
However Scannell successfully bypassed their new security feature too in response to which wordpress finally came out with stable patch in newer Version of 5.1.1.
How this exploit works ?
This flaw lies in CMS (Content Management Software) allowing unauthenticated remote user to perform arbitrary code execution.
The exploit demonstrated by Scannell relies on multiple issues, including:
- WordPress doesn’t use CSRF validation, allowing attackers to post comments on behalf of an administrator.
- Comments posted by an administrator account are not sanitized and can include arbitrary HTML tags, even SCRIPT tags.
- WordPress frontend is not protected by the X-Frame-Options header, allowing attackers to open targeted WordPress site in a hidden iFrame from an attacker-controlled website.
Lets see step by step how it happens:
- This Exploit leverages the CSRF (Cross Site Request Forgery) vulnerability.
- When admin logs into its wordpress account and see some comment pending to be approved. These comments can have link to malicious or compromised sites. For example (” Hey your content seems awesome, I would like you to review mine too. Please read my article : http://xyzasd[dot]com ).
- When admin clicks on the compromised or malicious link mentioned in the comments, XSS (Cross site scripting payload) is injected into admin’s wordpress site with CSRF vulnerability.
- Once payload in injected, its starts executing JS in the background without admin’s permission, once admin approves the comment, it appears on the front end of the site which is not protected by the x-frame option header, making comment visible in the hidden iframe on the attacker’s system. Depending upon the injected attributes attacker can use different event handling techniques to trigger the injected XSS payload.
- This all together allows an attacker to execute arbitrary code with the session of the administrator.
How to Defend against this:
We strongly recommend to update your wordpress site with the latest patch version 5.1.1. If automatic updates are enabled then you can sit back and relax.
What else we could have done to defend against this:
Before clicking on any such link inside the comment section make sure to check its reputation at multiple sources like virustotal and mxtoolbox etc, to have an idea, how good or bad reputation it holds, on that basis also we can avoid clicking such links.
Please let us know, if you have any questions or concerns regarding above article.
Stay Tuned for more interesting Cyber stuff 🙂