Posted on 04/28/2015 5:44:46 PM PDT by Utilizer
Commenters could cross-site script.
Wordpress developer Automattic is urging users to urgently update their installations of the company's publishing platform to fix a critical vulnerability that could lead to attackers taking over entire sites.
Jouko Pynnönen of security vendor Klikki.fi discovered a cross-site scripting (XSS) flaw in WordPress that allows commenters to inject Javascript into sites.
When admin users check the comments to moderate them and execute the Javascript they contain attackers can gain full control of the target WordPress site through the plugin and theme editors.
The vulnerability takes advantage of the TEXT data type in the MySQL database that WordPress is built on being limited to 64 kilobytes in size.
A comment longer than 64Kb will be truncated, Pynnönen said, but results in malformed HTML being generated on the WordPress page.
"The attacker can supply any attributes in the allowed HTML tags, in the same way as with the two recently published stored XSS vulnerabilities affecting the WordPress core," he wrote.
(Excerpt) Read more at itnews.com.au ...
Well that’s pretty crappy.
Don’t know anything offhand that I use that uses it.
But that doesn’t mean it isn’t there.
I’ll have to look.
Quite a few people do use it, unfortunately. Hope the info helps.
I passed it on to a webcomic friend, he might know some people...
Good on ya, mate. Hope word spreads.
Will see.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.