Security Breach Identified for Users of Popular WordPress Plugin and Theme

If you used WordPress to set up and maintain your website and you downloaded the JetPack plugin or the TwentyFifteen theme, you could be vulnerable to a newly-identified cyberattack.

According to the web security website Sucuri, any WordPress plugin or theme that uses the popular genericons package could be at risk of a DOM-based Cross-Site Scripting (XSS) vulnerability.

Both the JetPack plugin (which has more than 1 million active users) and the TwentyFifteen theme (which is WordPress’s current default theme) use genericons. The threat has been identified in the example.html file that comes with the package.

Eliminating the Threat

The quick fix is to remove the example.html file from the genericons package, which you don’t need anyway.

Sucuri said it detected this vulnerability before it ever became active, so it hasn’t done any known damage so far. Due to the website’s wicked fast response time, the threat level to WordPress users isn’t considered serious. But the site warned that it would be easy for the vulnerability to be exploited.

Sucuri reached out to the most popular web hosting services and notified them of this vulnerability and gave them the patch they needed to eliminate it. So if you use any of these services, you already have the virtual patch you need to protect yourself:

– GoDaddy

– HostPapa

– DreamHost

– ClickHost

– Inmotion

– WPEngine

– Pagely

– Pressable

– Websynthesis

– Site5

– SiteGround

But if your site is hosted by a different company, you may need to manually fix the issue yourself. All you have to do, according to Sucuri, is go to the genericons directory and delete the example.html file and you will be completely protected.

Who Is Responsible?

How the vulnerability got there in the first place and what its designers’ intentions were is not known. It’s strange that Automattic and the WordPress team would leave a simple example.html file in the genericons directory. Was this simply an oversight or something more sinister? At the moment, we don’t have a good answer for that question.

Here’s a wonky description of what it does from the group OWASP:

“DOM-Based XSS is an XSS attack wherein the attack payload is executed as a result of modifying the Document Object Model (DOM) “environment” in the victim’s browser used by the original client side script, so that the client side code runs in an “unexpected” manner. That is, the page itself (the HTTP response that is) does not change, but the client side code contained in the page executes differently due to the malicious modifications that have occurred in the DOM environment.”

What that means, I don’t know. But I do know that the XSS payload is never sent to the server side and is executed entirely at the browser level. So even if your website has a firewall, it can’t do anything about the vulnerability because it doesn’t ever see it. While it’s possible to patch the exploit, DOM-based XSS can be very difficult to block.

A Close Shave

But they also are more difficult for hackers to exploit because they require a high level of social engineering to get people to click on the exploited link. But if hackers can get someone to click through, it provides the same level of access as other types of XSS attacks. Theoretically, the exploit could be used to execute javascript in your browser and take over any site you are logged onto as the admin.

Had this exploit not been caught, it could have had a devastating impact on unsuspecting website owners and businesses alike.

In any case, if you remove the example.html from the genericons directory, you should be okay for now.