How to Hack a WordPress Website With Just a Comment – PoC


We have often reported various plugins that could affect your WordPress sites, however, it's not always the plugins welcoming the unwanted intruders on your sites. As it turns out, it is pretty much possible to hack a WordPress website with just a comment. Sounds crazy, right?

A Finnish security research Jouko Pynnonen has discovered a critical zero-day vulnerability in the core engine of the WordPress. This vulnerability in the CMS can be exploited by an unathenticated attacker to inject code via comments. When these specifically crafted messages are viewed by the admin, the attacker could take the control of the affected website.

Similar vulnerability was reported back in February 2014 when a Belgian security researcher reported how leveraging special characters to truncate crafted comments, an attacker could achieve arbitrary code execution. The latest vulnerability by Finnish expert showcases similar but a little different strategy.

In this XSS vulnerability, instead of using invalid / special characters, very long comments do the job. These comments have to be of roughly 66,000 characters!

the injected JavaScript apparently can't be triggered in the administrative Dashboard so these exploits seem to require getting around comment moderation e.g. by posting one harmless comment first.

Once a moderator approves the harmless comment, the attacker then proceeds to post the specially crafted code in the comment;

The specially crafted code submitted via comments is not executed in the administrator dashboard. Instead, it gets executed when the victim views the post where the malicious comment was published.

These researchers though aren't very happy with how WordPress handles the security reports. According to Belgian researcher Van Bockhaven's blogpost, it took WordPress over a year to fix the flaw and that too wasn't handled well as the latest vulnerability reveals.

WordPress 4.2 security vulnerability proof-of-concept:

However, after this latest uproar, Automattic has released an update to patch the vulnerability with the latest WordPress 4.2.1 update. All the WordPress admins are advised to update to this version at earliest. This zero-day WordPress bug affect WordPress version and the 4.2.

For more details on WordPress 4.2 Stored XSS, visit Klikki Oy