Patched – Genericons XSS Vulnerability
There is a recently announced XSS vulnerability in the Genericons package, which is included in both JetPack and the TwentyFifteen theme, and likely other addons. This means a huge portion of WordPress installs are potentially at risk.
The Vulnerability
A file called ‘example.html’ exists in the ‘genericons’ directory and is vulnerable to a DOM based XSS attack. If you’re interested in the details of how that works, please see Sucuri’s post. The main thing to know is that someone would have to get you to click a link in order to take advantage. But once that is done this is a dangerous vulnerability.
Our Response
We have removed the /genericons/example.html file from public directories on our systems. This will protect all Lightning Base hosted sites from the attack, and is not a problem because the file isn’t necessary. We are also running a process to look for and delete these files periodically in case someone uploads a plugin or WP install that already has the vulnerable file.
Sites Hosted Elsewhere?
If you have sites hosted somewhere that they will not be automatically patched, I strongly encourage you to look in the JetPack and TwentyFifteen folders for the genericons/example.html file and delete it. A more complete solution would be to search your web directories for the file so you can find/delete any instances that might exist in another plugin/theme.