Skip to Main Content

WordPress 4.2.1 Patches Zero-Day exploit

This vulnerability is affecting all previous versions and can be leveraged via the comment section of a website running WordPress, by hiding malicious code that is executed on the server.

An attacker exploiting the flaw can execute arbitrary code on the server, create new administrator accounts, or make changes with the same privileges as the currently logged-in admin.

The bug is very similar to the one patched in 4.1.2.

The problem with this bug resides in the way WordPress stores the large comments (more than 64k): such comments are truncated when stored in the database, resulting in malformed HTML being generated.

Now one might ask why someone would allow a 64K comment in the first place. But, since it is allowed to comment in HTML, the full HTML is stored in the database.

If you add some formatting to the comment, the 64K can be consumed rather quickly.

By setting up special attributes of the supported HTML tags, the attacker can hide a short malicious JavaScript code in the comment and execute it without any visible sign when the administrator viewed it in the Dashboard before approving it.

As an immediate reaction to this exploit, WordPress 4.2.1 has begun to roll out as an automatic background update, for sites that support those.

You can also download WordPress 4.2.1 manually or update over to Dashboard → Updates and simply click “Update Now”.

For more information, see the release notes.

IT Security Expert, CSSLP, Security+, Project+