The critical security release addresses a serious cross-site scripting (XSS) bug identified and reported by Jouko Pynnonen of the Finland-based IT company Klikki Oy on September 26. The vulnerability affects WordPress 3.9.2 and earlier versions which, according to the latest statistics from WordPress, account for nearly 86% of installations. WordPress 4.0, released in early September 2014, is not affected. 

“An attacker could exploit the vulnerability by entering carefully crafted comments, containing program code, on WordPress blog posts and pages. Under default settings comments can be entered by anyone without authentication (login),” Klikki Oy said in a press release. “Program code injected in comments would be inadvertently executed in the blog administrator’s web browser when they view the comment. The rogue code could then perform administrative operations by covertly taking over the administered account.”

A proof-of-concept published by the company shows that an attacker can exploit the vulnerability to create new administrator accounts, change the password of the current administrator, and execute arbitrary PHP code on the server.

“Exploitability without login, under default settings, and the server-side impact make this probably the most serious WordPress core vulnerability that has been reported since 2009,” Klikki Oy said.

Technical details on the critical XSS vulnerability are available in an advisory published by the Finnish company on November 20.

Millions of WordPress sites around the web are being updated to 4.0.1 right now and older releases will be updated to 3.9.3, 3.8.5, or 3.7.5, as outlined in Andrew Nacin’s security release announcement. If you don’t want to wait for the automatic update, you can always go to Dashboard → Updates in the admin and update immediately.

The security update also fixes 23 flaws from the WordPress 4.0 version among others.

Read Full article at SECURITYWEEK