Breaking News

PlayStation Plus Game Catalog for August 2025 Arctic announces Xtender PC case Samsung Launches World’s First 500Hz OLED Gaming Monitor and New Odyssey G7 Lineup Razer Unveils Wolverine V3 Pro 8K PC controller XPG Launches the Industry-leading RGB Gen4 SSD – SPECTRIX S65G

logo

  • Share Us
    • Facebook
    • Twitter
  • Home
  • Home
  • News
  • Reviews
  • Essays
  • Forum
  • Legacy
  • About
    • Submit News

    • Contact Us
    • Privacy

    • Promotion
    • Advertise

    • RSS Feed
    • Site Map

Search form

Popular Wordpress Plugins Vulnurable To Attacks

Popular Wordpress Plugins Vulnurable To Attacks

Enterprise & IT May 7,2015 0

A vulnerability within twopopular WordPress plugins is already being exploited by hackers, putting millions of WordPress sites at risk, according to security firm Sukuri. The JetPack plugin (reported to have over 1 million active installs) and the TwentyFifteen theme (installed by default) were found to be vulnerable. Both the plugin and theme are default installs in millions of WordPress installs. According to David Dede, a malware researcher with Sucuri, the main issue here is the genericons package, so any plugin that makes use of this package is potentially vulnerable if it includes the example.html file that comes with the package.

The XSS vulnerability is very simple to exploit and happens at the Document Object Model (DOM) level, said Dede. DOM-Based XSS is an XSS attack wherein the attack payload is executed as a result of modifying the Document Object Model (DOM) "environment" in the victim?s browser used by the original client side script, so that the client side code runs in an "unexpected" manner. That is, the page itself (the HTTP response that is) does not change, but the client side code contained in the page executes differently due to the malicious modifications that have occurred in the DOM environment.

That means the XSS payload is never sent to the server side and is executed directly at the browser. That means Web application firewalls can't see it and stop it.

Dede wrote that Sucuri found a way to virtually patch the exploit, but that DOM-based XSS flaws "are very tricky to block."

For a successful attack, a victim would have to be tricked into clicking on a malicious link.

Update: Wordpress develoeprs were fast and responded with a new WordPress version released Thursday that fixes the two critical cross-site scripting (XSS) vulnerabilities.

"All affected themes and plugins hosted on WordPress.org (including the Twenty Fifteen default theme) have been updated today by the WordPress security team to address this issue by removing this nonessential file," the WordPress developers said in the release announcement.

Once installed, WordPress 4.2.2 scans the site's directory for the vulnerable HTML file and removes all instances of it.

In addition, the new version patches a second critical cross-site scripting flaw which, according to the WordPress developers, could let anonymous users compromise a site. It also hardens defenses for a potential XSS issue in the visual editor.


Tags: wordpress
Previous Post
Samsung To Build Biggest Chip Plant In South Korea
Next Post
Nintendo Expects To Return To Profitability

Related Posts

Latest News

PlayStation Plus Game Catalog for August 2025
Gaming

PlayStation Plus Game Catalog for August 2025

Arctic announces Xtender PC case
Cooling Systems

Arctic announces Xtender PC case

Samsung Launches World’s First 500Hz OLED Gaming Monitor and New Odyssey G7 Lineup
Gaming

Samsung Launches World’s First 500Hz OLED Gaming Monitor and New Odyssey G7 Lineup

Razer Unveils Wolverine V3 Pro 8K PC controller
Gaming

Razer Unveils Wolverine V3 Pro 8K PC controller

XPG Launches the Industry-leading RGB Gen4 SSD – SPECTRIX S65G
PC components

XPG Launches the Industry-leading RGB Gen4 SSD – SPECTRIX S65G

Popular Reviews

be quiet! Dark Mount Keyboard

be quiet! Dark Mount Keyboard

be quiet! Light Loop 360mm

be quiet! Light Loop 360mm

be quiet! Light Mount Keyboard

be quiet! Light Mount Keyboard

Noctua NH-D15 G2

Noctua NH-D15 G2

Soundpeats Pop Clip

Soundpeats Pop Clip

be quiet! Light Base 600 LX

be quiet! Light Base 600 LX

be quiet! Pure Base 501

be quiet! Pure Base 501

Terramaster F8-SSD

Terramaster F8-SSD

Main menu

  • Home
  • News
  • Reviews
  • Essays
  • Forum
  • Legacy
  • About
    • Submit News

    • Contact Us
    • Privacy

    • Promotion
    • Advertise

    • RSS Feed
    • Site Map
  • About
  • Privacy
  • Contact Us
  • Promotional Opportunities @ CdrInfo.com
  • Advertise on out site
  • Submit your News to our site
  • RSS Feed