A critical cross-site scripting (XSS) vulnerability in a default WordPress plugin may allow attackers to hijack websites, Sucuri researcher David Dede has found.
According to Dede who is renown for his prolific WordPress popping, the Twenty Fifteen plugin installed on all WordPress sites is now being actively attacked.
In addition, the JetPack plugin, which has some one million installations, is also vulnerable to the easy-to-exploit DOM-based XSS.
The XSS occurred due to a genericons package that allows the Document Object Model (DOM) environment in the victim’s browser to be modified.
"The main issue here is the genericons package, so any plugin that makes use of this package is potentially vulnerable if it includes the example.html file that comes with the package," Dede says. "That means the XSS payload is never sent to the server side and is executed directly at the browser.”
"In this case, Automattic and the WordPress team left a simple example.html file that had the vulnerability embedded," he adds. "What’s more concerning here is the reach the plugin and theme have combined; they are installed in many cases, by default in all WordPress installations."
To remove the vulnerability and resolve the issue, users can remove the unnecessary genericons/example.html file. Dede has also contacted hosting sites including GoDaddy, HostPapa, and DreamHost ito help to fix the vulnerability at scale.