WordPress has had several vulnerabilities, but they often involve vulnerable plugins, but not this time a Finnish security researcher has discovered a zero-day vulnerability in the core engine of the WordPress content management system.
The WordPress CMS used by Millions of website is vulnerable to a zero-day flaw that could allow hackers to remote code execution on the Web server in order to take full control of it.
The vulnerability, found by Jouko Pynnönen of Finland-based security firm Klikki Oy, is a Cross-Site Scripting (XSS) flaw buried deep into the WordPress’ comments system.
The vulnerability affects the WordPress versions 3.9.3, 4.1.1, 4.1.2, and the latest WordPress version 4.2.
How the 0-Day exploit works?
When the comment is processed by someone with WordPress admin rights to the website, the malicious code will be executed without giving any indication to the admin.
By default, WordPress does not automatically publish a user’s comment to a post until and unless the user has been approved by the administrator of the site.
Hackers can bypass this limitation by fooling the administrator with their benign first comment, which once approved would enable any further malicious comments from that person to be automatically approved and published to the same post.
See the video here
So for you users that are using the versions listed above – patch!
WordPress has already made a fix available.