WORDPRESS HAS YET AGAIN left millions of its sites vulnerable after a scripting bug was found in two popular plugins.
The two culprits are JetPack, a customisation and performance tool with one million active installations, and TwentyFifteen, a theme designed to enable infinite scrolling that is installed into new WordPress sites as a default.
A Document Object Model (DOM)-based cross-site scripting (XSS) flaw has made the plugins vulnerable to hackers, and could affect millions of WordPress users.
The attack payload is executed as a result of modifying the DOM environment in a victim's browser used by the original client side script, so that the client side code runs in an unexpected way.
Security firm Securi found that the flaw in the two plugins is the result of an insecure file included with genericons, which are vector icons embedded in a web font.
"So far, the JetPack plugin, reported to have over a million active installations, and the TwentyFifteen theme, installed by default, are found to be vulnerable," explained Securi on its blog.
"The exact count is difficult to grasp, but both the plugin and theme are default installations in millions of WordPress installations.
"The main issue here is the genericons package, so any plugin that makes use of this package is potentially vulnerable if it includes the example.html file that comes with the package."
Securi said that even someone using a website firewall can be vulnerable to the flaw as the XSS payload is never sent to the server side and is executed directly at the browser, meaning that a firewall doesn't even get chance to see it.
"DOM-based XSS attacks are also a bit harder to exploit, since it requires some level of social engineering to get someone to click on the exploit link," added the firm.
"However, once they manage to do that, it provides the same level of access as other types of XSS attacks."
To fix the vulnerability, Securi said that WordPress users simply need to remove the unnecessary genericons/example.html file.
"Because of the low severity but mass impact, we reached out to our network of hosting relationships in an effort to virtually patch this for millions of WordPress users as quickly as possible," said the firm.
The following hosts should have virtually patched or hardened their environments: GoDaddy, HostPapa, DreamHost, ClickHost, Inmotion, WPEngine, Pagely, Pressable, Websynthesis, Site5 and SiteGround.
Patched in the WordPress 4.2.1 Security Release, the fix was announced in an advisory by WordPress consultant Gary Pendergast just hours after the vulnerability was disclosed by a bug hunter. µ
Max-Q GPUs will launch in a 'record' 80 devices
Plus the way the app works means you may as well not have a password anyway
And you can pick up tickets for the unveiling
All hail (a) Tesla!