A vulnerability within twopopular WordPress plugins is already being exploited by hackers, putting millions of WordPress sites at risk, according to security firm Sukuri. The JetPack plugin (reported to have over 1 million active installs) and the TwentyFifteen theme (installed by default) were found to be vulnerable. Both the plugin and theme are default installs in millions of WordPress installs. According to David Dede, a malware researcher with Sucuri, the main issue here is the genericons package, so any plugin that makes use of this package is potentially vulnerable if it includes the example.html file that comes with the package.

The XSS vulnerability is very simple to exploit and happens at the Document Object Model (DOM) level, said Dede. DOM-Based XSS is an XSS attack wherein the attack payload is executed as a result of modifying the Document Object Model (DOM) "environment" in the victim?s browser used by the original client side script, so that the client side code runs in an "unexpected" manner. That is, the page itself (the HTTP response that is) does not change, but the client side code contained in the page executes differently due to the malicious modifications that have occurred in the DOM environment.

That means the XSS payload is never sent to the server side and is executed directly at the browser. That means Web application firewalls can't see it and stop it.

Dede wrote that Sucuri found a way to virtually patch the exploit, but that DOM-based XSS flaws "are very tricky to block."

For a successful attack, a victim would have to be tricked into clicking on a malicious link.

Update: Wordpress develoeprs were fast and responded with a new WordPress version released Thursday that fixes the two critical cross-site scripting (XSS) vulnerabilities.

"All affected themes and plugins hosted on WordPress.org (including the Twenty Fifteen default theme) have been updated today by the WordPress security team to address this issue by removing this nonessential file," the WordPress developers said in the release announcement.

Once installed, WordPress 4.2.2 scans the site's directory for the vulnerable HTML file and removes all instances of it.

In addition, the new version patches a second critical cross-site scripting flaw which, according to the WordPress developers, could let anonymous users compromise a site. It also hardens defenses for a potential XSS issue in the visual editor.