WordPress 4.2.1 was released on Monday to address a critical zero-day vulnerability disclosed on Sunday by Finnish researcher Jouko Pynnönen of Klikki Oy. The expert published the details of the security bug without notifying WordPress because he was displeased with the way developers handled his recent vulnerability reports.
The stored cross-site scripting (XSS) vulnerability disclosed by Pynnonen is similar to a flaw discovered by Belgian researcher Cedric Van Bockhaven, which WordPress fixed last week with the release of version 4.1.2, more than a year after it was reported. The bug, which affects WordPress 4.2 and earlier, can be exploited by an unauthenticated attacker to execute arbitrary code via very long comments that get truncated when they’re saved into the database.
“The attacker is sending fragments of HTML code to the server that contains JavaScript in it. WordPress tries to verify the content, but misses the embedded script. This specific exploit is because the attacker sends very long content – over 64Kb, which is truncated in the database,” Jeff Williams, CTO of Contrast Security, explained via email. “[When] WordPress sends that data back to the browser as part of a webpage, the script executes.”
“That would be enough for an interesting attack, but this particular exploit goes further. When the attack is executed on an administrator, it uses the administrative privilege to install plugins and execute content directly on the server. Most XSS problems are not exploitable in a way that allows a complete remote host takeover,” Williams added.
The comment truncation flaw reported by Van Bockhaven was addressed by WordPress only after 14 months. However, Pynnonen’s approach forced the WordPress team to release a patch within hours.
Before the fix was released, website owners running a self-hosted version of WordPress were advised to install the Askimet anti-spam plugin in order to protect themselves against potential attacks.
Pynnonen said he decided not to notify WordPress before making the vulnerability public because a different stored XSS flaw that he reported in November is still unpatched. His attempts to obtain information from WordPress on the status of a patch were unsuccessful, even after he tried contacting developers via HackerOne and CERT Finland (CERT-FI).
Furthermore, WordPress last year promised the researcher a minimum bounty of $2,000 for responsibly disclosing a critical bug affecting WordPress versions prior to 4.0, but they only awarded him $100.
“I don’t think it’s my job to spend months begging for the security team to communicate with me about security vulnerabilities. It’s their job and responsibility to communicate with researchers who try to help them and their customers. And if they ‘pro-actively’ and spontaneously offer me a bug bounty, I think it would be appropriate for them to keep their word,” Pynnonen told SecurityWeek. “I’m sure many people think the disclosure was irresponsible. But instead of months or years, the fix was produced in a few hours. During this time users were aware of the threat and could take precautions.”
Williams believes WordPress is to blame for incidents like this one.
“The researcher did not notify WordPress that this exploit was coming, and I can’t blame him. Historically, WordPress has not been responsive to ‘responsible’ vulnerability disclosure where the researcher gave them time to fix the problem,” Williams told SecurityWeek. “In a recent very similar disclosure, WordPress took 14 months to close the issue. However, this issue was closed almost immediately after the unannounced disclosure. So, unfortunately, WordPress has trained researchers that if they want a quick response, they should just release exploits without notification.”