XSS Vulnerability in Jetpack and the Twenty Fifteen Default Theme Affects Millions of WordPress Users

Jetpack and the Twenty Fifteen default theme have been updated after a DOM-based Cross-Site Scripting (XSS) vulnerability was discovered. According to Sucuri, any plugin or theme that uses Genericons is vulnerable due to an insecure file included within the package.

Genericons ships with a file called example.html which is vulnerable to attack from the Document Object Model level or DOM for short. The Open Web Application Security Project defines a DOM based attack as:

DOM Based XSS (or as it is called in some texts, ‘type-0 XSS’) is an XSS attack wherein the attack payload is executed as a result of modifying the DOM ‘environment’ in the victim’s browser used by the original client side script, so that the client side code runs in an ‘unexpected’ manner. That is, the page itself (the HTTP response that is) does not change, but the client side code contained in the page executes differently due to the malicious modifications that have occurred in the DOM environment.

The payload for these types of attacks is executed directly in the browser. Even Sucuri’s website firewall is unable to block the attack since it never gets the chance to see it. The company however, has virtually patched the vulnerability.

Sucuri worked with a number of hosting providers to identify and remove the example.html file from their servers. If you use the following webhosts, you should already be patched as of a week ago.

  • GoDaddy
  • HostPapa
  • DreamHost
  • ClickHost
  • InMotion
  • WPEngine
  • Pagely
  • Pressable
  • Websynthesis
  • Site5
  • SiteGround

According to Sucuri, the example.html file was used for debugging and testing purposes but was mistakenly left inside the directory after the project was packaged for production environments. This simple oversight has placed millions of sites at risk as Twenty Fifteen is a default theme that ships with WordPress.

You should update the Twenty Fifteen theme and Jetpack regardless of which webhost you’re using. You should also remain vigilant and keep an eye out for additional plugin and theme updates. If possible, manually remove example.html from within the Genericons directory.

Update

WordPress 4.2.2 is available as a security update that addresses the Genericons issue and contains bug fixes.

There are 52 comments

Comments are closed.