Instart Logic customers protected from the WordPress XSS Vulnerability

WordPress XSS Exploit

WordPress developers released a patch on Wednesday to fix a XSS (Cross-Site Scripting) vulnerability in their code that could potentially allow a hacker to compromise a website. The website can only be exploited if the user is already authenticated as an Admin.

To protect our customers, Instart Logic’s security team investigated this vulnerability and created a new Instart Logic WAF rule to identify the attack.

How does a hacker attack an XSS-vulnerable website?

By leveraging XSS, a hacker can input a dangerous payload (for example, a malicious JavaScript) and have it run in the victim’s browser. The attacker can use a phishing attack or other social engineering techniques to have the user visit the URL that includes the malicious payload.

XSS attacks can give the attacker access to a user’s cookies, make arbitrary changes to the visited page, or turn the user’s client into a bot used to send HTTP requests to unwanted destinations. In more severe cases, it could potentially give the hacker access to the user’s webcam or microphone.

How this vulnerability works

The code for the patch issued by the WordPress team can be found here:

By looking closely we can see that the vulnerability existed in the Error page displayed behind the authenticated URL /wp-admin/customize.php.

Our researchers used a simple HTML payload to show how it works:


The theme directory test does not exist

As you can see, the browser is executing the href tag instead of sanitizing it.

$this->errors = new WP_Error( 'theme_not_found', sprintf( __( 'The theme directory "%s" does not exist.' ), $this->stylesheet ) );

The patch in WordPress 4.4.1 solves it by sanitizing the theme parameter using the esc_html function before displaying the page.

$this->errors = new WP_Error( 'theme_not_found', sprintf( __( 'The theme directory "%s" does not exist.' ), esc_html( $this->stylesheet ) ) );

How can you protect your Wordpress website?

If you are an Instart Logic customer and you are using our Web Application Firewall (WAF), you are already protected. Otherwise, make sure you upgrade immediately to WordPress 4.4.1 before hackers exploit this vulnerability in your site.

Learn more about Instart Logic: