The Finnish IT company Klikki Oy has located a critical security vulnerability in WordPress. The problem affects version 3 of the blogging and content management system. According to WordPress's statistics as of November 20, about 86% of all WordPress sites used a vulnerable version. At the time of reporting (September 2014), the percentage was about 90%. In order to exploit the vulnerability, the attacker needs a text entry field such as the comment form which is enabled by default.
The total number of WordPress sites on the internet has been approximated at tens of millions.
Version 3.0 which introduced this bug was released in 2010. Version 4.0, which is not vulnerable to this flaw, was released in September 2014. The bug has gone uncorrected for almost four years.
An attacker could exploit the vulnerability by entering carefully crafted comments, containing program code, on WordPress blog posts and pages. Under default settings comments can be entered by anyone without authentication (login).
Program code injected in comments would be inadvertently executed in the blog administrator's web browser when they view the comment. The rogue code could then perform administrative operations by covertly taking over the administrator account.
Such operations - demonstrated by our proof of concept exploits - include creating a new administrator account (with a known password), changing the current administrator password, and in the most serious case, executing attacker-supplied PHP code on the server. This grants the attacker operating system level access on the server hosting WordPress.
Exploitability without login, under default settings, and the server-side impact make this probably the most serious WordPress core vulnerability that has been reported since 2009.
Klikki Oy reported the vulnerability on September 26 and has worked with the vendor to solve the problem. Official patches were released on November 20. They have now been deployed automatically to most WordPress sites. Reportedly the Akismet comment plugin now also filters any malicious comments containing the exploit.
For people who can't upgrade their WordPress server, we have created a workaround plugin which neutralizes the bug.
Klikki Oy is based in Jyväskylä, Finland, and has over a decade of track record in security vulnerability research.
For questions please contact CEO Jouko Pynnönen <firstname.lastname@example.org>
Updated Nov 24: clarified the first paragraph. The exploit requires a text entry field. A site using a vulnerable version isn't always exploitable.
Nov 25: Fixed a couple of typographical errors.
Dec 1: A proof of concept exploit published.