This is an archive post from the Netsparker (now Invicti) blog. Please note that the content may not reflect current product names and features in the Invicti offering.
Today we published advisory CVE-2015-3429 about a DOM based cross-site scripting vulnerability in the default WordPress theme Twenty Fifteen. This WordPress theme has been included by default in WordPress since version 4.1, which was released on the 18th of December 2014.
Millions of WordPress Websites Vulnerable to DOM XSS
Since the Twenty Fifteen theme is included by default in WordPress, many WordPress users do not delete it from their installation even when they use another theme. Even though the theme is not activated, the vulnerable files can still be accessed by attackers, thus rendering such sites vulnerable to DOM XSS. When you consider that WordPress powers around 20% of the websites on the internet, there could be millions of WordPress websites vulnerable to this DOM XSS vulnerability.
How Are DOM XSS Vulnerabilities Typically exploited?
To exploit a DOM based cross-site scripting vulnerability such as this one, after identifying a vulnerable website the attacker sends an email to the website users with a link that will exploit the vulnerability and triggers a script that steals the users' cookie. Instead of an email the attacker can also post a comment on the website itself with the malicious link.
To encourage users to click the link attackers typically send legit like emails where they advise the users to click on the link to update their profile, or to change their password etc. Even though the link is malicious, it still points to the legit website's domain hence typically users, even administrators sometimes fall for such type of tricks and click on the link.
Once a user clicks on the link and the attacker gets hold of the users' cookie, the attacker can easily input the cookie in his browser to emulate the users' session. Should the victim be the WordPress administrator, the attacker gains administrative privileges on the target and vulnerable website. Typically at this stage the attacker creates another user with administrator privileges to retain access to the vulnerable website and operate unnoticed. For more detailed and technical information on this vulnerability read our article DOM based cross-site scripting vulnerability.
How to Fix this WordPress DOM XSS?
WordPress just announced WordPress 4.2.2, a security and maintenance fix that addresses this and other issues. If you have automatic updates enabled most probably your WordPress websites have been updated. Alternatively, if you do not want to update your WordPress to 4.2.2, which is not recommended you can:
a) update the theme Twenty Fifteen only, or if you are not using it simply uninstall it from your WordPress website or
b) delete the vulnerable file example.html which can be found in the following WordPress directory /wp-content/themes/twentyfifteen/genericons/example.html