WordPress 5.1.1 fixes a threatening XSS vulnerability

5.1.1 Fixes XSS Vulnerability Leading to Website Takeovers

WordPress 5.1.1 had recently patched an XSS vulnerability, but the researchers didn't stop probing into the situation, as they found out how devastating the threat was as it would lead an attacker to take over a WordPress site using something as simple as a maliciously crafted comment. Discovered by RIPS Technologies, the flaw is a cross-site request forgery (CSRF) flaw that exists on any site running version 5.1 or earlier with default settings and comments enabled.

The heart of the problem is the measures Wordpress has taken to keep it protected from the CSRF-based takeovers in comments which is not secure. CSRF attacks happen when an attacker hijacks an authenticated user session so that the malicious instructions appear to come from that user’s browser. In the case of the recently patched flaw, the attacker could have lured a WordPress admin to a malicious website thus serving cross-site scripting (XSS) payload.

Even though websites defend themselves from CSRF in many possible ways, the complexity of the task means there are always cracks attackers can slip through.

What could have been a better solution?

The solution is to update WordPress to version 5.1.1, which appeared on 12 March with a fix for this flaw. If auto-updating is not turned on, it’s the usual drill: visit Dashboard > Updates and click Update. To go one step further to keep away from these attacks, Webmasters can disable comments entirely while remembering to log out of WordPress admin before visiting other websites.