Klikki Oy security bod Pynnonen commented: “An attacker could exploit the vulnerability by entering carefully crafted comments, containing program code, on WordPress blog posts and pages. Under default settings comments can be entered by anyone without authentication” and “probably the most serious WordPress core vulnerability that has been reported since 2009″.
The flaw has existed for about four years affecting versions between 3.0 to 3.9.2 but not in newest version 4.0. Official patches were released on November 20. They have now been deployed automatically to most WordPress sites. Reportedly the Akismet comment plugin now also filters any malicious comments containing the exploit.
So the users of 4.0 WordPress are safe from this, but they should note that version 4.0.1 patched a separate and also critical set of XSS flaws discovered by the internal security team, along with a cross-site request forgery hole.
Tomi Engdahl says:
Four-year-old comment security bug affects 86 percent of WordPress sites
Bug allows script attack that could be used to hijack sites or attack visitors.
A Finnish IT company has uncovered a bug in WordPress 3 sites that could be used to launch a wide variety of malicious script-based attacks on site visitors’ browsers. Based on current WordPress usage statistics, the vulnerability could affect up to 86 percent of existing WordPress-powered sites.