WordPress announced a security update to fix two vulnerabilities that could provide an attacker with the opportunity to stage a full site takeover. Among the two vulnerabilities, the most serious one involves a stored cross site scripting (Stored XSS) vulnerability.
WordPress Stored Cross Site Scripting (XSS) Vulnerability
The WordPress XSS vulnerability was discovered by the WordPress security team within the core WordPress files.
A stored XSS vulnerability is one in which an attacker is able to upload a script directly to the WordPress website.
The locations of these kinds of vulnerabilities are generally anywhere that the WordPress site allows input, like submitting a post or a contact form.
Typically these input forms are protected with what is called Sanitization. Sanitization is simply a process for making the input only accept certain kinds of input, like text, and to reject (filter out) other kinds of input like a JavaScript file.
According to Wordfence, the affected WordPress files did perform sanitization in order to prohibit the upload of malicious files.
But the order in which the sanitization happened set up a situation where the sanitization could be bypassed.
Wordfence offered this insight into the patch that fixes this vulnerability:
“The patched version runs wp_filter_global_styles_post before wp_filter_post_kses so that any potential bypasses have already been processed and wp_kses can effectively sanitize them.”
The reason an attacker can upload a script is often because of a bug in how a file was coded.
When a website user with administrator privileges visits the exploited website, the uploaded malicious JavaScript file executes and can with that user’s administrator level access do things like take over the site, create a new administrator-level account and install backdoors.
A backdoor is a file/code that allows a hacker to access the backend of a WordPress site at will with complete access.
Prototype Pollution Vulnerability
The second issue discovered in WordPress is called a Prototype Pollution Vulnerability. This kind of vulnerability is a flaw in the JavaScript (or a JavaScript library) against the website.
This second issue is actually two problems that are both Prototype Pollution Vulnerabilities.
One is a Prototype Pollution Vulnerability discovered in the Gutenberg wordpress/url package. This is a module within WordPress that allows a WordPress website to manipulate URLs.
For example, this Gutenberg wordpress/url package provides various functionalities for query strings and performs clean up on the URL slug to do things like convert uppercase letters to lowercase.
The second one is a Prototype Pollution vulnerability in jQuery. This vulnerability is fixed in jQuery 2.2.3.
Wordfence states that they are not aware of any exploits of this vulnerability and states that the complexity of exploiting this specific vulnerability makes it unlikely to be an issue.
The Wordfence vulnerability analysis concluded:
“An attacker successfully able to execute JavaScript in a victim’s browser could potentially take over a site, but the complexity of a practical attack is high and would likely require a separate vulnerable component to be installed. “
How Bad is the WordPress Stored XSS Vulnerability?
This particular vulnerability requires a user with contributor level access in order to have the necessary permission level to upload a malicious script.
So there is an extra step needed in the form of first having to acquire a contributor level login credential in order to proceed to the next step of exploiting the stored XSS vulnerability.
While the extra step could make the vulnerability harder to exploit, all that stands between relative safety and a full site takeover is the strength and complexity of contributor passwords.
Update to WordPress 5.9.2
The latest version of WordPress, 5.9.2, fixes two security related issues and addresses and patches one bug that could result in an error message for sites using the Twenty Twenty Two theme.
A WordPress tracking ticket explains the bug like this:
“Having an older default theme activated and then clicking to preview Twenty Twenty Two gave me an error screen with a grey background with a white notification box saying “The theme you are currently using is not compatible with Full Site Editing.””
The official WordPress announcement recommends that all publishers update their installation to WordPress version 5.9.2.
Some sites may have automatic updates enabled and the sites are currently protected.
But that’s not the case for all sites because many sites require someone with an administrator level access to approve the update and set it in motion.
So it may be prudent to log in to your website and check to confirm if it is currently using version 5.9.2.
If the website is not using version 5.9.2, then the next steps to consider are backing up the website itself and then updating to the latest versions.
That said, some will add an additional layer of safety by first updating a copy of the site on a staging server and reviewing the updated test version to make sure there are no conflicts with currently installed plugins and themes.
Typically, after an important update to WordPress, plugins and themes may publish updates in order to fix issues.
Nevertheless, WordPress recommends updating as soon as possible.
Citations
Read the Official WordPress.org Announcement
WordPress 5.9.2 Security and Maintenance Release
Read the Wordfence Explanation of the Vulnerabilities
WordPress 5.9.2 Security Update Fixes XSS and Prototype Pollution Vulnerabilities
Official WordPress 5.9.2 Version Summary
Examine the WordPress Bug Fix Documentation
Live Preview Button showing issue