Genericons DOM-based XSS vulnerability
Description
Genericons is a vector icon webfont library that includes a demonstration file named example.html. This file contains a DOM-based Cross-Site Scripting (XSS) vulnerability that allows attackers to execute arbitrary JavaScript in users' browsers. This vulnerability is particularly significant because Genericons is bundled with popular WordPress components, including the default TwentyFifteen theme and the widely-used JetPack plugin, potentially affecting millions of WordPress installations.
Remediation
Immediately remove the vulnerable demonstration file from your installation. Follow these steps based on your environment:
For WordPress Installations:
1. Locate and delete the example.html file from the Genericons directory, typically found at:
• wp-content/themes/twentyfifteen/genericons/example.html
• wp-content/plugins/jetpack/_inc/genericons/example.html
2. Update WordPress to version 4.2.2 or later, which removes this file from the TwentyFifteen theme
3. Update JetPack plugin to the latest version
4. Search for other instances across all themes and plugins:
find /path/to/wordpress -name "example.html" -path "*/genericons/*"
For Standalone Genericons Implementations:
Remove the example.html file from your genericons directory and ensure it is not accessible via web requests by adding a server configuration rule if needed.
Verification:
After removal, verify the file is no longer accessible by attempting to access it directly via your web browser. The request should return a 404 error.