Toxic comments: WordPress admins under threat from latest bug

‘Critical’ exploit chain discovered by RIPS Tech could allow for complete site takeover

WordPress admins have been urged to ensure they are running the latest version (5.1.1) after researchers disclosed a bug that could allow an attacker to take complete control of a target site.

Presenting their findings in a technical blog post earlier today, security researchers at RIPS Tech discovered a “critical exploit chain” that enables an unauthenticated third party to gain remote code execution (RCE) on any WordPress installation prior to version 5.1.1.

“An attacker can take over any WordPress site that has comments enabled by tricking an administrator of a target blog to visit a website set up by the attacker,” said RIPS Tech security researcher Simon Scannell.

“As soon as the victim administrator visits the malicious website, a cross-site request forgery (CSRF) exploit is run against the target WordPress blog in the background, without the victim noticing.”

Redefining ‘toxic comments’

According to Scannell, WordPress versions 5.1.0 and earlier perform no CSRF validation when a user posts a new comment. Although the world’s most popular CMS attempts to mitigate potential security issues with comment sanitization, RIPS Tech discovered a flaw in the process.

“This allows an attacker to create comments that can contain much more HTML tags and attributes than comments should usually be allowed to contain,” he said. “The fact that we can inject additional HTML tags and attributes… leads to a stored XSS vulnerability in WordPress core.”

After injecting a stored cross-site scripting (XSS) payload into the target website, Scannell said the next stage for an attacker to gain RCE is to force the site admin to execute the injected JavaScript.

“The [weaponized] comment can be displayed in a hidden <iframe> on the website of the attacker,” he explained. “Since the injected attribute is an onmouseover event handler, the attacker can make the iframe follow the mouse of the victim to instantly trigger the XSS payload.”

“This allows an attacker to execute arbitrary JavaScript code with the session of the administrator who triggered the CSRF vulnerability on the target website. All of the JavaScript execution happens in the background without the victim administrator noticing,” he added.

Offering mitigation advice, RIPS Tech said the issue has been patched in the latest WordPress build.

If automatic updating has been turned off, Scannell advised that comments should be disabled until the security patch is installed.

“Most importantly, make sure to log out of your administrator session before visiting other websites,” he said.

News of the bug comes a month after RIPS Tech researchers disclosed an authenticated RCE vulnerability in WordPress 5.0.0.

RELATED WordPress 5.1 launches with Site Health security feature