back to article Don't be a WordPress RCE-hole and patch up this XSS vuln, pronto

A newly revealed vuln in the open-source CMS WordPress allows an unauthenticated website attacker to remotely execute code – potentially letting naughty folk delete or edit blog posts. The flaw, detailed by German code-checking company RIPS Technologies in a blog post, can be exploited "by tricking an administrator of a target …

  1. adnim Silver badge
    Holmes

    Security-aware folk are unlikely to be affected by this

    a) the target site having comments enabled - check

    b) the site admin being oblivious enough to click a dodgy link, however the attacker presents it to them. - uncheck.

    I do a who is on source IP and based on the results block the IP or a subnet.

    Anyone that admins a Wordpress site and does click on links within a spam comment shouldn't own a computer let alone admin a Wordpress install.

    I updated anyway.

    1. Solarflare

      Re: Security-aware folk are unlikely to be affected by this

      Who said anything about clicking a dodgy link? It's an onmouseover event...

    2. Anonymous Coward Silver badge
      Facepalm

      Re: Security-aware folk are unlikely to be affected by this

      The link they click on doesn't have to be in a comment.

      The problem is that they can post a comment by clicking a link somewhere else, and that comment that they inadvertently post can contain javascript.

      The example in the article creates a malicious link in the comment that they didn't mean to post, but only as an example of something that would pass the basic sanitisation that wordpress performs.

  2. fidodogbreath Silver badge

    5.no

    Not on 5.1.1? You should be

    For those of us avoiding the dread 5.x Gutenberg "editing experience," it looks like this issue was also fixed in Wordpress 4.9.10 (released on the same day as 5.1.1).

    My site has comments disabled anyway, but that's more about mental health than security.

    1. Captain Scarlet Silver badge

      Re: 5.no

      Have you tried the Classic Editor on 5.x?

  3. JoelLkins

    > "WordPress performs no CSRF [Cross-Site Request Forgery] validation when a user posts a new comment. This is because some WordPress features such as trackbacks and pingbacks would break if there was any validation"

    Um, Trackbacks and Pingbacks have been broken for over 10 years, ever since script kiddies figured out it was an easy way to Spam and DDOS.

    Anyone that admins a Wordpress site that has TB/PB enabled shouldn't own a computer let alone admin a Wordpress install.

  4. Anonymous Coward
    Anonymous Coward

    FTFY

    Anyone that admins a Wordpress site and does click on links within a spam comment shouldn't own a computer let alone admin a Wordpress install.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019