HackDig : Dig high-quality web security articles for hacker

XSS Bug Fixed in Akismet Anti-Spam WordPress Plugin

2015-10-17 11:20

Automattic, the company behind WordPress, has fixed a stored XSS vulnerability in its Akismet spam fighting plugin, which would have permitted attackers to compromise WordPress sites.

Akismet is a plugin that comes bundled with all WordPress installations by default, being installed on millions and millions of WP sites.

The plugin is incredibly useful, allowing site administrators to easily detect comment spam, and have it cleaned from the site, or marked for review in a special section inside the WordPress administration panel (the Comments section).

Akismet versions 3.1.4 and lower are all vulnerable

According to Sucuri, a security vendor specialized in WordPress protection systems, a flaw exists in the Akismet plugin that affects all versions up to and including 3.1.4.

This flaw allows attackers to insert malicious code via blog comments, which get stored inside the website's database, and then get executed every time the administrator hovers over malformed links in the site's backend Comments section.

Despite the plethora of XSS protection filters WordPress comes built with, the flaw manifests itself due to a series of bad conjunctions, and only when the website is configured to transform text-based smileys like ":)" into graphic emojis.

Since this feature is turned on by default in all WordPress sites, along with the possibility to post comments, the attackers have a very large target at hand.

Automattic fixes bug, and also protects vulnerable Akismet plugin versions (in the cloud)

The bug was discovered at the start of the month, and Automattic patched it in less than two weeks, releasing version 3.1.5 to fix the issue.

Additionally, because Akismet checks all comments for spam against its cloud-based servers, it is also able to detect API calls coming from older Akismet plugin versions.

This allowed the WordPress team to set up a protection system in place that blocks attacks of this type, even if the webmaster has not yet upgraded his local Akismet plugin.

Earlier this month, the same Sucuri team uncovered a similar stored XSS flaw in another of Automattic's plugins, Jetpack.

Akismet XSS, executing malicious code in the WP backend
Akismet XSS, executing malicious code in the WP backend

Source: XLpRnbh1Cdl12cptWYt4WatQWZ4lmZtcWdi1yczh3LzdXZu9SbvNmLhlGZlBHdm92cuM3dl52LvoDc0RHa/ca.ssr.dps

Read:2535 | Comments:0 | Tags:Security Xss

“XSS Bug Fixed in Akismet Anti-Spam WordPress Plugin”0 Comments

Submit A Comment



Blog :

Verification Code:


Share high-quality web security related articles with you:)


Tag Cloud