WordPress Security Alert: Jetpack and Twenty Fifteen Vulnerable to DOM-Based XSS

wordpress-securitySecurity firm Sucuri has published a security alert on its blog notifying all WordPress users of a vulnerability that could potentially affect millions of websites. According to the firm, the DOM-based Cross-Site Scripting (XSS) vulnerability could affect any theme or plugin that uses genericons package.

In the latest case, Security Researcher David Dede wrote that two particularly popular and widely used theme and plugins have been found to be vulnerable. They are Twenty Fifteen theme that ships default with every WordPress installation, and Jetpack plugin that brings many WordPress.com features to self-hosted sites.

Because literally millions of WordPress installations have Jetpack plugin installed on them, and many more have Twenty Fifteen theme, it's still difficult to measure exactly how many sites are vulnerable at this point. However, thanks to the security researchers and developers, an update has been released by Jetpack that fixes the vulnerability. Some hosting companies have also tightened their security to safeguard WordPress websites hosted with them.

If you want to know more about the technical side of the vulnerability, here's a great article over at Acunetix that covers this topic well.

How to Ensure Safety

jetpack dom-based xss
Jetpack has already shipped a new version that takes care of the issue.

Fortunately, it's rather easy to secure your WordPress installations from this vulnerability. All you need to do is remove any unnecessary example.html file from your server and you should be good to go. The example.html file is usually found in a theme or plugin's folder inside another folder named genericons. So the default locations of the vulnerable files, as of now, are:

wp-content/themes/twentyfifteen/genericons/example.html
wp-content/plugins/jetpack/_inc/genericons/genericons/example.html

Jetpack has already released an update to its plugin that patches the issue. So you should head over to your WordPress dashboard now and check for updates if you are using the plugin. Some users have also reported that an update for Twenty Fifteen theme was also released that patches the example.html file in its folder, but at the time of writing this post, I could not find an update.

So, as Sucuri suggests, you should immediately update your Jetpack plugin to the latest version, and remove genericons/example.html file from Twenty Fifteen theme to ensure safety of your site. If you're not using the theme, you may also remove the theme altogether if you find logging into FTP to remove one file a bit of work.

It is also notable that Sucuri reported some web hosts have already hardened their environment against this vulnerability, which are: GoDaddy, HostPapa, DreamHost, ClickHost, Inmotion, WPEngine, Pagely, Pressable, Websynthesis, Site5, and SiteGround. Sucuri also wrote that any site that uses its “Website Firewall” service is also protected from this vulnerability. If you are hosted by any of these hosting companies or if you have Sucuri Website Firewall, you are most likely already protected. If not, you should go ahead and remove the example.html file to stay protected.

As with most other things, vast popularity comes with some degree of headaches. As WordPress is the most popular CMS on the market right now, the increase in vulnerability and attacks against it is expected. Fortunately for the WordPress users, the user base is so huge that you can expect any vulnerability to be discovered long before any major disaster can take place, which leads to developers patching up the vulnerability.

A general rule of thumb in regards to WordPress security is to keep your core WordPress as well as every theme and plugin updated as soon as updates are available. By doing this, you can avoid almost all potential security issues with WordPress. For others, keep an eye on WordPress-related blogs like this.

Have you taken safety measures to safeguard your WordPress site?

Via: Sucuri blog

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.