The open-source WordPress content management system (CMS) on April 27 issued an emergency update, patching a new zero-day vulnerability that might have exposed users to risk.
Security researcher Jouko Pynnönen first blogged about the zero-day issue on April 26. “An unauthenticated attacker can inject JavaScript in WordPress comments,” Pynnönen warned. “The script is triggered when the comment is viewed.”
Pynnönen referred to the issue as a stored Cross Site Scripting (XSS) vulnerability. The big risk with the flaw is that if a WordPress administrator was somehow tricked into viewing the comment, the attacker would be able to execute arbitrary code.
The WordPress’ 4.2.1 update now provides a fix for the XSS issue though not all WordPress site administrators will need to take any manual steps to actually get the patch. Since the WordPress 3.7 release in October 2013, WordPress has provided its self-hosted users with an automated patching capability for critical security updates. WordPress 4.2.1 isn’t the only new update either. WordPress 4.1.4 and 4.0.4 were also released providing updates for older versions of WordPress.
While the issue sounds scary, the actual risk for many WordPress users was likely very limited even before the core WordPress team issued a patch on April 27. Automattic, the lead commercial sponsor behind the open-source WordPress CMS, has a technology known as Akismet for filtering spam comments. Many self-hosted WordPress site administrators deploy the freely available Akismet as part of any new WordPress installation. Akismet would have caught the XSS flaw in comments as a spam comment, reducing the potential risk to users.
WordPress is available in a self-hosted model as well as a hosted model on WordPress.com.
“All WordPress.com sites—including WordPress.com VIP sites—are not vulnerable: Your WordPress.com sites are protected by the Akismet anti-spam service, which is already blocking those comments,” WordPress staffer, Krista Stevens wrote in a blog post.
The new security update is the second security milestone update for WordPress in the last week. On April 22, WordPress warned users about multiple vulnerabilities that were fixed in the WordPress 4.1.2 update. Among the fixed issues were a pair of XSS vulnerabilities that also could have enabled an attacker to take control of a WordPress site.
While there seems to be a regular flow of WordPress vulnerabilities that are disclosed, it’s important to recognize the exceptional speed with which WordPress’ security team fixes issues. The new zero-day issue was patched well within 24 hours of it first being public.
More importantly, WordPress has automatic updates, so there isn’t all that much lag between the time a patch is issued and when sites are updated. Having the Akismet service in this case provided users with an additional layer of protection.
The bottom line is that exploits and vulnerabilities are inevitable, but having the process and technology in place to rapidly deal with issues is the real key to mitigating risk.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.