WordPress: a New Critical Flaw is Housed in the Comments



  • A cross-scripting attack on the WordPress site exposes a takeover by an attacker and this is just the latest in a long line fault. The security policy of WordPress is being criticized by many.

Concerned Issue:

  • Version updated on 28 April with the release of patch 4.2.1

A new critical flaw affects WordPress, the most popular CMS or we can say the most famous website builder tool, used by 23% of the websites from all over the World. While most of the faults affecting this platform due to the plugin editor (it is sufficient to disable pending a fix option). The vulnerability in question discovered by Jouko Pynnonen, Finnish security expert, touches the heart of the platform in its 4.2 and previous versions.

Mechanism of Attack

  • The attack is based on a vulnerability called as cross-scripting (XSS), which effects from the way MySQL truncate the data. It allows injecting JavaScript into WordPress comment (at least 66,000 characters). When this infectious comment is approved by logged in administrator, the attack unfolds a server side (via plugin editor and themes), allowing to inject code at the heart of WordPress sites. The attacker then can create a new administrator account, change passwords or publish unapproved content. The vulnerability does not affect the reader of a WordPress site.
  • Admittedly, this mechanism requires the approval for comment restricted by an administrator if WordPress has retained on its default settings. But with some settings of the platform, the attacker may also post an innocent comment first to be approved by an administrator to open the door for infectious comments so next comment will not have to be validated.
  • In his blog post, Jouko Pynnonen advises, disabling ‘pending a fix’ will simply turn off the comments. Presides over the destinies of the platform, WordPress has released an emergency update, i.e. 4.2.1, stopping the vulnerability and recommends to rapidly upgrade application with the latest patch.

14 Months to Fix a Bug…

  • A few days earlier, WordPress has corrected another bug discovered in February 2014 by researcher Cedric Van Bockhaven related to with affecting comments. This vulnerability also operated the way MySQL truncate the information, this time after special characters. The patch corrects this flaw to execute code on the server in WordPress 4.2.1, introduced on 21 April 2015.
  • It is precisely 14 months between the discovery of the flaw and the release of the patch that promoted Jouko Pynnonen to publicly unveil the new vulnerability (known of the full disclosure policy). Unlike Cedric Van Bockhaven that has detailed the mechanism of the attack after the availability of the patch.
  • During this period all the WordPress servers using default settings for the comment system were easily hackable, said by Finnish researcher. It seems that the risk of WordPress users will be less and quickest fix to get away with a policy of full disclosure. The fact seems to prove him right since this time he has been quick to respond, probably helped by the proximity of attack mechanisms used by Cedric Van Bockhaven and Jouko Pynnonen.
  • However, the advantage of the Finns revelation about XSS knocked the developers of the platform before publishing any newer version. Jouko Pynnonen says, he has already informed another vulnerability to WordPress platform developers last November, but its hotfix is still not available. According to the researcher, the WordPress teams had offered no explanation why the bug is still not fixed. He further says that all versions of WordPress are affected by this third flaw as well.


It is advisable to turn off comments till bugs’ free version of WordPress is available to use officially. You can also consider our ESDS VTMScan vulnerability web scanner to test your WordPress website.


Leave a Reply

Follow by Email