Security Notice: 0-Day XSS Vulnerability – Sites at Lightning Base Are Safe
Update (2:00 PM 4/27/15): Patched versions of WordPress have been released to address this vulnerability, and automatic updates are rolling out at this moment.
klikki.fi posted an announcement yesterday regarding a 0 day vulnerability in WordPress.
This vulnerability should already be mitigated on our systems, but we’re posting this so everyone knows that, and anyone that sees it can make sure sites hosted elsewhere are protected.
The Problem
This is a serious issue with comments, whereby very long comments will be automatically truncated when stored in the database, which may allow scripts to be inserted onto your site, potentially compromising visitors or even your site itself if that code runs when you are logged in.
Simply having someone send a comment will not compromise your site – it is when this comment is viewed that it is a problem.
Our Fix
We are automatically blocking very long comments at our webapp firewall, before it even touches your site, and this is working based on tests with sample attacks exploiting this vulnerability.
Other Options
If you’re hosted at Lightning Base this shouldn’t be a concern. But if you have sites hosted elsewhere, there are a few options:
– Completely turning off comments on your blog will stop this exploit. This plugin can help you do that until this is patched in core: https://wordpress.org/plugins/disable-comments/
– I have heard rumors that Akismet is automatically sending these to the spam bin. This is not something we have contacted Aksimet about, if you plan to rely on it I would consider getting in touch with them.
– This code should be able to block large comments: https://gist.github.com/kovshenin/2393e3da32ac3ba379fa – thanks to the code’s author and the Advanced WordPress Group on Facebook for making this available.