On October 19, 2017, WordPress released a security notice about a stored XSS vulnerability in version 4.8.1. An attacker can leave a comment that contains malicious code on the affected website. When the comment page is opened, the malicious code is ran, causing the website permissions and plug-ins to be changed or even fully controlled. This vulnerability brings high security risks.
We recommend that you check for the vulnerability and upgrade WordPress to the latest version immediately.
See the following for more information about the vulnerability.
WordPress stored XSS vulnerability
Condition and method of exploitation
- Affected version: WordPress 4.8.1
- Unaffected version: WordPress 4.8.2
Check whether any affected version of WordPress is used.
How to fix or mitigate
Select Update on the backend dashboard of WordPress to upgrade WordPress to the latest official version 4.8.2.
Use Alibaba Cloud Security WAF for defense.
Information you may want to know
What is a stored XSS vulnerability?
The stored XSS vulnerability is persistent. It can be exploited to inject and store malicious code on the server. On vulnerable web pages, malicious code may be stored in input fields, for example, fields for editing user profile or posting comments. The code execution is triggered when users visit the vulnerable page. Websites infected with the stored XSS vulnerability are vulnerable to worms and cookie theft.
What is a reflected XSS vulnerability?
The reflected XSS vulnerability is non-persistent. It triggers XSS code by inducing visitors to click a malicious link. The code is not stored in any page or content on the server. Websites with a search page are prone to this type of XSS vulnerability.