Cross-site scripting vulnerability in Wordpress

Five new vulnerabilities in the popular Wordpress blogging system are described by German security specialist Benjamin Flesch in his blog. However, four of the vulnerabilities require Wordpress admin privileges to be exploited, which considerably narrows down their scope. These include SQL injection and cross-site scripting vulnerabilities. In addition, Flesch reports a database bug which does not cause security issues, and another previously known vulnerability.

A cross-site scripting hole in the wp-admin/includes/upload.php file is the only bug that poses a higher risk. However, this has already been patched by Wordpress developers, although the patch has so far only been applied to the repositories. Due to insufficient filtering of the style parameter, JavaScript code can be injected and executed on the user’s system within the context of the Wordpress page. For the attack to be successful, however, the victim has to have at least authoring permissions in the blog.

The Wordpress worm publicised by Flesch turns out to be an interactive patch script written in JavaScript that exploits the cross-site scripting vulnerabilities described. Among other things, the script allegedly reads the _wpnonce credential to autonomously patch Wordpress and make other changes. Reports say the Wordpress worm is not yet fully developed, however, which is why users are still discouraged from executing this "helpful worm".

A Web 2.0 worm written in JavaScript completely crashed MySpace in late 2005 by embedding itself in generated invitations. When viewed by the invited person, the script re-executed itself to invite more friends. This MySpace worm was also spread via a cross-site scripting hole.

See also:

• Wordpress ZeroDay Vulnerability Roundhouse Kick and why I nearly wrote the first Blog Worm (updated), blog by Benjamin Flesch
• Wordpress uploads.php Cross-Site Scripting Vulnerability, entry in Wordpress-Trac

(mba)