WordPress Vulnerability Affects Millions of Websites; Fix Issued

Advertisement
By Ketan Pratap | Updated: 8 May 2015 18:50 IST
WordPress Vulnerability Affects Millions of Websites; Fix Issued
Security researchers have discovered vulnerabilities in the default installation of WordPress, leaving sites that use content management system open to attack - specifically a critical cross-site scripting vulnerability that allows anonymous users to compromise the site.

David Dede from Sucuri security research company has claimed that any WordPress theme or plugin that runs a genericons package is at risk. Dede adds that the one of the default themes for WordPress, TwentyFifteen, as well as the JetPack plugin, use the genericons icon fonts package.

The vulnerability can allow attackers to hack into any WordPress website using the default theme and plugin if the administrator accidentally clicks on a malicious link. The genericons package comes with an insecure file that makes the site open to cross-site scripting vulnerability.

The firm on Thursday released version 4.2.2 update which is basically a security and maintenance release targeted to fix the vulnerability. The latest release addresses two security issues including updated genericons used in default themes and plugins that scan the WordPress content directory for the affected (and "nonessential") example.html file and removes it.

Dede of Sucuri tried to demystify the vulnerability and explains, "The XSS vulnerability is very simple to exploit and happens at the Document Object Model (DOM) level. DOM-Based XSS is an XSS attack wherein the attack payload is executed as a result of modifying the Document Object Model (DOM) "environment" in the victim's browser used by the original client side script, so that the client side code runs in an "unexpected" manner. That is, the page itself (the HTTP response that is) does not change, but the client side code contained in the page executes differently due to the malicious modifications that have occurred in the DOM environment."

Advertisement

The security firm has also listed few hosts that have also patched the issue recently including GoDaddy, HostPapa, DreamHost, ClickHost, Site5, and SiteGround among others.

 
Post your comments

For the latest tech news and reviews, follow Gadgets 360 on X, Facebook, WhatsApp, Threads and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel. If you want to know everything about top influencers, follow our in-house Who'sThat360 on Instagram and YouTube.

Further reading: Internet, Vulnerability, WordPress
Nokia Inks IT Infrastructure Deal With HP, Microsoft, Telefonica
DoT's New Norm Gave Undue Advantage of Rs. 3,367 crores to Reliance Jio: CAG
Advertisement

Related Stories

SpaceX Expands Starlink Network with Dual Falcon 9 Launches, Boosts Constellation Beyond 7,900 Satellites
1 July 2025
SpaceX Launches 26 Starlink Satellites from California to Expand Low Earth Orbit Internet Network
18 June 2025
SpaceX Launches 26 New Starlink Satellites, Expands Global Internet Network
13 June 2025
SpaceX Launches 27 Starlink Satellites from California Using Veteran Falcon 9 Booster
8 June 2025
Perplexity Could be Default AI Assistant on Samsung Galaxy S26 as Part of 'Wide-Ranging' Deal: Report
4 June 2025
Popular on Gadgets
Latest Gadgets
Popular Mobile Brands
#Trending Stories
  1. Oppo Reno 14 Pro 5G Launched in India Alongside Reno 14 5G: See Price
  2. Oppo Reno 14 5G Series Launching Today: All You Need to Know
  3. Vivo X Fold 5, Vivo X200 FE to Launch in India On This Date
  4. Honor Watch 5 Ultra With eSIM Support, ECG Tracking Launched
  5. Nothing Teases Release of Android 16-Based Nothing OS 4.0 Update
  6. Oppo Pad SE Launched in India With 11-Inch Display and 9,340mAh Battery
  7. Honor MagicPad 3 Launched With 165Hz Display, These Features
  8. Meta Verified Users Claim 'Useless' Customer Support Amid Account Bans
  9. Amazon Prime Day 2025 Sale: Discounts, Bank Offers Teased
  10. This Google Chrome Flaw Allows Attackers to Run Code on Your Computer
#Latest Stories
  1. Tecno Spark 40 Pro+ With MediaTek Helio G200 SoC Launched Alongside Spark 40 Pro and Spark 40
  2. Oppo Pad SE Launched in India With MediaTek Helio G100 SoC, 9,340mAh Battery: Price, Specifications
  3. Naughty Dog Head Neil Druckmann to Step Away From HBO's The Last of Us TV Show to Focus on Games
  4. Google Chrome Update Patches Security Flaw That Granted Attackers Access When Users Visited Malicious Websites
  5. Google Is Bringing Gems to the Gemini Side Panel in Gmail, Docs, and Other Workspace Apps
  6. Meta Verified Users Claim ‘Useless’ Customer Support Amid Account Bans Despite Paying for Subscription
  7. Vivo X Fold 5 and Vivo X200 FE India Launch Date Set for July 14
  8. Infinix Hot 60 5G+ Leaked Images Show Off New Side Button, Triple Rear Cameras
  9. Microsoft Cancels Perfect Dark, Shuts Down Developer The Initiative in Widespread Xbox Cuts
  10. Google Updates Android TV Home Screen With Four New Promotional Category Tabs: Report
Gadgets 360 is available in
Follow Us
Download Our Apps
Available in Hindi
© Copyright Red Pixels Ventures Limited 2025. All rights reserved.