There are millions of websites that are currently at risk of being hijacked by hackers because of a grave cross-site scripting (XSS) vulnerability present in a default installation of the mega popular content management system (CRM), WordPress.

Security researcher Robert Abela of Security firm Netsparker discovered the cross-site scripting (XSS) vulnerability on April 22^nd.

This WordPress vulnerability comes within a webfont package named Genericons, which is a part of the default Twenty Fifteen WordPress Theme.

The Main Threat

The XSS vulnerability is “DOM-based.” It exists in the DOM (document object model,) which is an API (application programming interface) responsible for delivering content, such as images, text, links and headers to user’s browsers. In this case, the DOM delivers the web page content.

An insecure file within the Twenty Fifteen theme opened up the door for an easy exploitation of this XSS vulnerability which allows hackers to modify the DOM in the browser of victims.

What is a DOM-Based XSS Attack?

A DOM-Based XSS attack allows for hackers to manipulate where the payload executes, causing it to bypass the browser’s HTML data.

This means the browser’s user will see an entirely different code than what is actually located within the page itself. The payload executes in the DOM because of the modified file.

Unfortunately, these types of vulnerabilities are more difficult to detect than previously discovered XSS flaws due to the fact that they are built into the script code of the website.

Because of the fact that this DOM-Based XSS vulnerability does not change the URL or redirect the user to another websites, hackers can use it to invade a user’s session and launch elaborate phishing attacks.

The Twenty Fifteen theme isn’t the only one with this particular vulnerability. At this time, this vulnerability is being aggressively exploited by a researcher, who has also found it to be built into the popular JetPack plugin as well. It is believed that any WordPress plugin that utilizes the Genericons font package is vulnerable to hacker attacks.

The JetPack plugin is a very commonly downloaded by casual WordPress users, as it attempts to make website’s easier to customize and contains resources such as traffic reporting, performance tools and mobile responsiveness at a basic level. This particular plugin has been downloaded over 1 million times.

How Does a Hacker Hijack Vulnerable WordPress Websites?

In order for a DOM-Based XSS attach to occur the website administrator will have to click on a malicious link while being logged into their WordPress admin account. Once they have clicked that link the hacker is able to gain full control of what users see when they visit that vulnerable website.

David Dede, security researcher for Sucuri explained that they had received reports from some of their clients regarding this particular vulnerability. Their clients had been receiving a report that specifically pointed to:

http://site.com/wp-content/themes/twentyfifteen/genericons/example.html#1<img/ src=1 onerror= alert(1)>.“wp-content/themes/twentyfifteen/genericons/example.html#1<img/ src=1 onerror= alert(1)>

Dede pointed out, “In this proof of concept, the XSS printed a javascript alert, but could be used to execute javascript in your browser and take over the site if you are logged in as admin.”

There is currently no exact number as to how many websites are vulnerable to the latest hacker attack, but the JetPack plugin comes installed by default on many WordPress templates, which means there could be millions of websites at risk.

How to Protect your WordPress Website

In order to ensure your website is not at risk, log into your admin account and check if you are running the Genericons package. If your website is running this package, you must either delete the example.html file from the data, or at least, check that your web application firewall or intrusion detection system is blocking the file.

Sucuri has informed nearly a dozen web hosts. These web hosts were able to virtually patch the vulnerability of the websites that they host. These hosting companies include ClickHost, HostPapa, GoDaddy, DreamHost, Inmotion, WPEngine, Pressable, Websynthesis, Site5, Pagely, and Siteground.

Surfaced Media has cleared any potential vulnerability from its clients websites and all website owners should also consider contacting their web developer or web development company to confirm their website is not currently at risk. If you need any assistance or help in this process, feel free to contact us and we’ll take care of it for you!

Update Your WordPress

On Wednesday, May 6^th, WordPress released an update (WordPress 4.2.2) which resolved the issues that were occurring with Genericons icon font package as well as patched the XSS vulnerability that was present, which allowed hackers to manipulate the websites.

If you have a WordPress website, you are strongly recommended to update your WordPress to version 4.2.2 immediately.

If you have disabled the “auto-update” feature on your admin WordPress account, you must log in and upgrade manually as soon as possible to ensure the safety of your websites.