Any WordPress Plugin or theme that leverages the genericons package is vulnerable to a DOM-based Cross-Site Scripting (XSS) vulnerability due to an insecure file included with genericons. So far, the JetPack plugin (reported to have over 1 million active installs) and the TwentyFifteen theme (installed by default) are found to be vulnerable. The exact count is difficult to grasp, but both the plugin and theme are default installs in millions of WordPress installs. The main issue here is the genericons package, so any plugin that makes use of this package is potentially vulnerable if it includes the example.html file that comes with the package.
The XSS vulnerability WordPress is experiencing is very simple to exploit and happens at the Document Object Model (DOM) level. If you are not familiar with DOM attacks, the OWASP group explain it well:
DOM-Based XSS is an XSS attack wherein the attack payload is executed as a result of modifying the Document Object Model (DOM) “environment” in the victim’s browser used by the original client side script, so that the client side code runs in an “unexpected” manner. That is, the page itself (the HTTP response that is) does not change, but the client side code contained in the page executes differently due to the malicious modifications that have occurred in the DOM environment.
That means the XSS payload is never sent to the server side and is executed directly at the browser. So even someone using our WAF, can be vulnerable since it never gets a chance to see it. In this case, we were able to virtually patch the exploit, but DOM-based XSS are very tricky to block.
DOM-based XSS are also a bit harder to exploit, since it requires some level of social engineering to get someone to click on the exploit link. However, once they manage to do that, it provides the same level of access as other types of XSS attacks (reflected or stored).
0-Days in the Wild
What is interesting about this attack is that we detected it in the wild days before disclosure. We got a report about it and some of our clients were also getting reports saying they were vulnerable and pointing to:
http:// site.com/wp-content/themes/twentyfifteen/genericons/example.html#1<img/ src=1 onerror= alert(1)>
Remove the genericons/example.html file
Fortunately, the fix for this one is pretty straight forward. Remove the unnecessary genericons/example.html file or make sure you have a WAF or IDS that is blocking access to it. Because of the low severity, but mass impact we reached out to our network of hosting relationships in an effort to virtually patch this for millions of WordPress users as quickly as possible
The following hosts should have virtually patched or hardened your environments from this issue as of a week ago:
We cannot forget one of the basic principles of security, in which we must maintain a pristine environment in production. This means we remove debug or test files before you move into production. In this case, Automattic and the WordPress team left a simple example.html file that had the vulnerability embedded. What’s more concerning here is the reach the plugin and theme have combined; they are installed in many cases, by default in all WordPress installations. Simple oversight, that could have devastating impacts on unsuspecting website owners and businesses alike.
Note that despite being a DOM XSS, any sites behind our Website Firewall is already protected, but if you do not have a WAF or IPS protecting your site, we highly recommend removing the example.html from inside the genericons directory.