Security Experts:

WordPress Flaw Allows XSS Attack via Image Filenames

WordPress users have been advised to update their installations to version 4.6.1, which fixes a couple of security flaws and over a dozen functionality bugs affecting previous versions.

According to WordPress developers, version 4.6 and earlier are plagued by two vulnerabilities. One of them, identified by Dominik Schilling of the WordPress security team, is a path traversal in the upgrade package uploader.

The second issue, discovered by Han Sahin, co-founder of Dutch security firm Securify, is a persistent cross-site scripting (XSS) flaw caused by unsafe processing of image filenames.

An advisory provided by Securify to SecurityWeek reveals that an attacker can exploit the vulnerability by inserting an XSS payload into an image file’s name. If the attacker can trick the targeted website’s administrator into uploading the malicious image via the WordPress Media Upload functionality, the payload gets executed, allowing the hacker to conduct various operations, such as stealing session tokens and login credentials.

Sahin pointed out that the targeted administrator must use operating systems like Linux and Mac OS X, which provide the extended file name capabilities necessary for the attack to work.

WordPress 4.6.1, which is considered a security release, also addresses 15 bugs, including one that involved disabling a PHP warning for security reasons.

This is the fifth WordPress security release issued this year. In versions 4.4.1, 4.4.2, 4.5.2 and 4.5.3, the content management system’s developers patched XSS, redirect bypass, information disclosure, denial-of-service (DoS), unauthorized category removal, password reset, open redirect, and server-side request forgery (SSRF) flaws.

Securify ran a month-long event in July, inviting researchers to find vulnerabilities in WordPress and WordPress plugins. The hacker event, dubbed “Summer of Pwnage,” resulted in the discovery of 120 vulnerabilities in the WordPress core and various plugins, including ones that have hundreds of thousands and even over one million active installs.

The Summer of Pwnage advisories show that there are still several vulnerabilities in the WordPress core that have not been patched.

“WordPress has a lot of security features in the code base – it is not as bad as some people in infosec might think,” Sahin told SecurityWeek in July. “The biggest problem I see is the growing number of (uncontrolled) plugins. A good suggestion would be to make an application filter in the WordPress core that forces a CSRF token on every CRUD [create, read, update, and delete] request to reduce the remote factor of issues.”

UPDATE. Securify has published the advisory describing the XSS vulnerability.

Related Reading: Stored XSS Flaw Patched in bbPress WordPress Plugin

Related Reading: WordPress.com Pushes Free HTTPS to All Hosted Sites

Related Reading: Hacked WordPress Sites Target Random Users

view counter
Eduard Kovacs is an international correspondent for SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.