A WordPress security vulnerability has been discovered which could affect millions of WordPress users.
The problem, spotted by security firm Sucuri, has been identified as a DOM-based Cross-Site Scripting (XSS) vulnerability. If you want to learn more about the technical side of the vulnerability, this is a great resource by Acunetix.
The vulnerability relates to the genericon package; specifically the example.html file. Any theme or plugin that uses this example.html file is potentially vulnerable—if any of your themes or plugins utilize vector icons, you could be at risk.
Worryingly, this is known to include the TwentyFifteen theme which ships with WordPress by default and the popular Jetpack plugin with an active user base in the millions. According to Sucuri, the vulnerability is relatively simple to exploit, but because it was caught before it was disclosed the impact is not thought to be severe–the problem was caught before any real damage could be done.
Good news, though: the vulnerability is a relatively simple to fix.
Just head inside the genericons directory and remove the problem example.html file, located at genericons/example.html. You can also block access to the file using a WAF or IDS.
Some more good news: when the vulnerability was identified last week, Sucuri proactively reached out to many of the main hosting services. The following hosts have already patched up the issue:
- WP Engine
If you host your website with any of these services, there’s no need to worry—the problem is already resolved. However, if you use a different hosting service, you should manually remove the vulnerable file to protect yourself.
Excellent work from the Sucuri team for flagging such a wide-reaching vulnerability early so the problem could be contained!
Leave your thoughts on the security vulnerability in the comments section below!