Hot Downloads

WordPress DOM XSS Cross-site Scripting Vulnerability Identified By Netsparker

Written by Administrator. Posted in Security Articles

3.33333333333 1 1 1 1 1 Rating 3.33 (3 Votes)
WordPress DOM XSS Cross-site Scripting Vulnerability Identified By Netsparker - 3.3 out of 5 based on 3 votes

netsparker-discovery-wordpress-dom-xss-scripting-vulnerability-18th of May 2015, Netsparker annouced yesterday the discovery of critical security vulnerability contained an HTML file found on many WordPress themes, including WordPress.org hosted websites. As reported by Netsparker the specific HTML file is vulnerable to cross-site scripting attacks and session hijack. WordPress.org has already issued an official annoucement and patch (v4.2.2) and recommends WordPress administrators update their website files and themes.

The Genericons icon font package, which is used in a number of popular themes and plugins, contained an HTML file vulnerable to a cross-site scripting attack. All affected themes and plugins hosted on WordPress.org (including the Twenty Fifteen default theme) have been updated yesterday by the WordPress security team to address this issue by removing this nonessential file. To help protect other Genericons usage, WordPress 4.2.2 proactively scans the wp-content directory for this HTML file and removes it. Reported by Robert Abela of Netsparker.

Download & Scan your site with Netsparker for security flaws and vulnerabilities such as SQL Injection and Cross-site Scripting (XSS)

By exploiting a Cross-site scripting vulnerability the attacker can hijack a logged in user’s session. This means that the malicious hacker can change the logged in user’s password and invalidate the session of the victim while the hacker maintains access. As seen from the XSS example in Netsparker's article, if a web application is vulnerable to cross-site scripting and the administrator’s session is hijacked, the malicious hacker exploiting the vulnerability will have full admin privileges on that web application.

Related Security Articles

Netsparker, a leading web application network security scanner finds and reports security flaws and vulnerabilities such as SQL Injection and Cross-site Scripting (XSS) in all websites and web applications regardless of the platform and the technology they are built on. Netsparker's unique detection and exploitation techniques allow it to be dead accurate in reporting vulnerabilities, hence it is the first and only False Positive Free web application security scanner.

Back to Security Articles Section

Articles To Read Next:

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup