It is recommended that you upgrade your WordPress based website if for some reason your WordPress based website has not been automatically updated to the latest version of 5.1.1 as an updated WordPress based website is vulnerable to the newly discovered vulnerability that lets your website get hacked. A researcher at RIPS Technologies GmbH named Simon Scannell who has previously reported the multiple critical vulnerabilities in the WordPress has proved his capability and discovered a new flaw in the CMS that could potentially lead to remote code execution attacks. The flaw originates from a cross-site forgery (CSRF) issue in the comment section of the WordPress, one of its core components that comes enabled by default and affects all the WordPress installations prior to the latest version. The exploit that is demonstrated by researcher Scannell relies on the multiple issues that includes:
- The WordPress does not utilize CSRF validation when a user posts a new comment, allowing the attackers to post comments on the behalf of an administrator.
- Comments that are posted by an administrator account are not sanitization and can include arbitrary HTML tags and even the script tags.
- The WordPress frontend is not protected by the X-frame options header permitting the attackers to open targeted WordPress site in a hidden iFrame from an attacker controlled website.
Combining all these issues, an attacker can silently inject a stored XSS payload into the target website only by tricking a logged on administrator into visiting a malicious website containing the code for exploitation. The attacker can then even take the complete control over the targeted WordPress websites remotely just by injecting an XSS payload that can modify the WordPress template directly to include a malicious PHP backdoor without the administrator noticing it.