Millions of WordPress Sites under Persistent XSS Threat

Sucuri have released a security advisory stating a DANGEROUS Persistent XSS Vulnerability in WP-Super Cache plugin used by Millions of WordPress websites (according to wordpress.org).

The Vulnerability :-

This vulnerability could be leveraged by an attacker by creating a carefully crafted query, further used to insert malicious scripts to the plugin’s cached file listing page.

“As this page requires a valid nonce in order to be displayed, a successful exploitation would require the site’s administrator to have a look at that particular section, manually”, states the report.

Attacker could simply create fresh administrator account to the site, inject bakcdoors by using WordPress theme edition tools, etc., upon successful execution of the injected scripts.
Technical Details

The issue lies in the way WP-Super-Cache would display information stored in cache file’s key, which is used by the plugin to decide what cache file must be loaded.

As you can see from the above, the $details[ ‘key’ ] is directly appended to the page’s content, without being sanitized first ($details[ ‘uri’ ] is sanitized somewhere else, before this snippet).

As the ‘key’ index of the $details variable contains theget_wp_cache_key() function’s return (which contains data coming straight from the user’s cookies), an attacker

can insert malicious scripts on the page.
Mitigation

An updated version of the plugin is available in which this vulnerability has been patched. The site admins are advised to update the WP-Super Cache plugin to latest

available version i.e. 1.4.4.

Sucuri have released a security advisory stating a DANGEROUS Persistent XSS Vulnerability in WP-Super Cache plugin used by Millions of WordPress websites (according to wordpress.org).

The Vulnerability

This vulnerability could be leveraged by an attacker by creating a carefully crafted query, further used to insert malicious scripts to the plugin’s cached file listing page.

“As this page requires a valid nonce in order to be displayed, a successful exploitation would require the site’s administrator to have a look at that particular section, manually”, states the report.

Attacker could simply create fresh administrator account to the site, inject bakcdoors by using WordPress theme edition tools, etc., upon successful execution of the injected scripts.

Technical Details

The issue lies in the way WP-Super-Cache would display information stored in cache file’s key, which is used by the plugin to decide what cache file must be loaded.

- See more at: http://cyberintelligence.in/millions-of-wordpress-sites-under-persistent-xss-threat/#sthash.m1YbV3QC.dpuf