Simon Scannell, a researcher at RIPS Technologies GmbH, who previously reported multiple critical vulnerabilities in WordPress, has once again discovered a new flaw in the content management software (CMS) that could potentially lead to remote code execution attacks.
Unlike most of the previous attacks documented against WordPress, this new exploit allows even an “unauthenticated, remote attacker” to compromise and gain remote code execution on the vulnerable WordPress websites.
“Considering that comments are a core feature of blogs and are enabled by default, the vulnerability affected millions of sites,” Scannell says.
The exploit demonstrated by Scannell relies on multiple issues, including:
- WordPress doesn’t use CSRF validation when a user posts a new comment, allowing attackers to post comments on behalf of an administrator.
- Comments posted by an administrator account are not sanitization and can include arbitrary HTML tags, even SCRIPT tags.
- WordPress frontend is not protected by the X-Frame-Options header, allowing attackers to open targeted WordPress site in a hidden iFrame from an attacker-controlled website.
According to the researcher, the attacker can then even take complete control over the target WordPress websites remotely by injecting an XSS payload that can modify the WordPress template directly to include a malicious PHP backdoor—all in a single step without the administrator noticing.
However, Scannell was also able to bypass that, after which the CMS team finally released WordPress 5.1.1 with a stable patch on Wednesday.
However, if the automatic updating of your CMS has been turned off, you are advised to temporarily disable comments and log out of your administrator session until the security patch is installed.