Security Experts:

WordPress Flaw Allows Arbitrary Code Execution via Comments: Researcher

A researcher has found a way to execute arbitrary JavaScript code on WordPress websites by leveraging a stored cross-site scripting (XSS) bug related to how WordPress truncates comments.

Finland-based security researcher Jouko Pynnönen of Klikki Oy says the vulnerability can be exploited by an unauthenticated attacker to inject code via comments. If the specially crafted comments are viewed by an administrator, the attacker can take control of the affected website.

A similar vulnerability was reported to WordPress developers in February 2014 by Belgian researcher Cedric Van Bockhaven. The critical XSS flaw reported by Van Bockhaven, which leveraged special characters to truncate crafted comments and achieve arbitrary code execution, was addressed by WordPress last week with the release of WordPress 4.1.2.

The stored XSS vulnerability discovered by Pynnönen is similar, but instead of invalid characters it involves very long comments (roughly 66,000 characters).

“If the comment text is long enough, it will be truncated when inserted in the database. The MySQL TEXT type size limit is 64 kilobytes, so the comment has to be quite long,” the researcher explained in an advisory. “The truncation results in malformed HTML generated on the page. The attacker can supply any attributes in the allowed HTML tags.”

According to Pynnönen, the specially crafted code submitted via comments is not executed in the administrator dashboard. Instead, it gets executed when the victim views the post where the malicious comment was published.

“If comment moderation is enabled (default) the comment won't appear on the page until it has been approved. Under default settings, after one ‘harmless’ comment is approved, the attacker is free from subsequent moderation, and can inject the exploit to several pages and blog posts,” the researcher told SecurityWeek.

In a proof-of-concept video, the researcher has shown how a malicious actor can execute arbitrary code on an affected server through plugin and theme editors. An attacker who tricks an administrator into viewing the malicious comment can carry out various tasks, including changing the admin password and creating new admin accounts, the expert said.

The attack method disclosed by Pynnönen affects WordPress 4.2 (the latest version) and earlier, but the researcher has decided not to report his findings to WordPress developers because he is displeased with the way they’ve handled his recent vulnerability reports.

Van Bockhaven explained in a blog post that it took WordPress more than a year to fix the XSS flaw he reported because it affected the WordPress core at the database layer and the developers had to conduct thorough tests to ensure that the fix would not have a negative impact on certain websites.

However, Pynnönen believes it shouldn’t have taken so long to release the patch.

“They have been looking at the comment truncation problem at least since February 2014. According to the timeline in Cedric van Bockhaven's blog, they took 14 months(!) to produce the code to detect invalid characters in comments. During this time all WordPress servers using default comment settings have been relatively easily ‘hackable’. Now it turns out they still didn't get it right,” Pynnönen said via email.

“It looks like the risk for WordPress users may be smaller and patches faster with full disclosure. At least now they know how to prevent getting compromised - instead of another year of vulnerability and false sense of security,” the expert added.

Automattic, the company behind the WordPress.com blogging service, told SecurityWeek that the core security team is currently working on a fix for the core software. Until a patch becomes available, website owners running a self-hosted version of WordPress are advised to install the Akismet anti-spam plugin, which is currently used to protect WordPress.com sites against potential attacks.

“The WordPress team was made aware of a XSS issue a few hours ago that we will release an update for shortly. It is a core issue, but the number of sites vulnerable is much smaller than you may think because the vast majority of WordPress-powered sites run Akismet, which blocks this attack. When the fix is tested and ready in the coming hours WordPress users will receive an auto-update and should be safe and protected even if they don’t use Akismet,” Automattic founder Matt Mullenweg said in an emailed statement.

Pynnönen says he reported another stored XSS vulnerability to WordPress in November 2014, but it still hasn’t been fixed.

In the same month, WordPress credited the expert for reporting a critical XSS flaw that affected millions of websites running versions prior to 4.0. Pynnönen said he was promised a minimum bounty of $2,000 for responsibly disclosing the bug, but instead he only received a $100 reward via HackerOne, which he plans on donating to a charity. 

*Updated with statement from Automattic and Matt Mullenweg, and clarification that the researcher plans on donating the reward to charity

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.