Light Dark
April 28, 2015 By Shane Schick 2 min read

You’d think its users would deserve a break at this point, but the discovery of another WordPress vulnerability suggests site owners should be on the lookout for a zero-day flaw that could lead to cross-site scripting attacks.

First disclosed by a security researcher based in Finland, the latest WordPress vulnerability involves a bug that could let cybercriminals inject JavaScript code into the comments field of a site. If a WordPress site administrator approves the comment, which must be 66,000 characters long, it only needs to be viewed once before the code is executed, allowing cybercriminals to take over passwords and admin controls. The vulnerability affects Version 4.2 of the blogging and website platform.

Attackers have tried similar tactics before, and despite the popularity of WordPress, the company behind it hasn’t always been quick to respond. Just a few days ago, a patch was made available for a similar WordPress vulnerability discovered more than a year ago, ThreatPost reported, though in that case, the comment required special characters to execute an attack.

Though a watchful admin could theoretically not approve suspicious comments, there are social engineering techniques to get around such limitations, a story on Ars Technia pointed out. For example, if a clever cybercriminal posted a legitimate comment that was approved, subsequent comments containing the WordPress vulnerability would automatically go live on a site. Then, all it takes is theme editors or plugin tools to let the code injection do its work.

A security researcher confirmed to Forbes that the WordPress vulnerability is a real danger, and though the company said it will offer a patch, there is no real sense of when it will be released. That may lead many site editors to disable comments or at least use plugin tools such as Akismet to minimize the risks.

Chief information security officers and members of IT teams can be forgiven if it is becoming difficult to keep up with every new WordPress vulnerability. Earlier this month, a flaw in a popular plugin called Super Cache left an estimated 1 million sites at risk, while an earlier issue with a plugin used in many WordPress themes was enabling local file inclusion attacks.

Image Source: iStock

 |  |  |  | 
Shane Schick
Writer & Editor

More from

December 23, 2024

FYSA – Adobe Cold Fusion Path Traversal Vulnerability

2 min read - Summary Adobe has released a security bulletin (APSB24-107) addressing an arbitrary file system read vulnerability in ColdFusion, a web application server. The vulnerability, identified as CVE-2024-53961, can be exploited to read arbitrary files on the system, potentially leading to unauthorized access and data exposure. Threat Topography Threat Type: Arbitrary File System Read Industries Impacted: Technology, Software, and Web Development Geolocation: Global Environment Impact: Web servers running ColdFusion 2021 and 2023 are vulnerable Overview X-Force Incident Command is monitoring the disclosure…

November 22, 2024

What does resilience in the cyber world look like in 2025 and beyond?

6 min read -  Back in 2021, we ran a series called “A Journey in Organizational Resilience.” These issues of this series remain applicable today and, in many cases, are more important than ever, given the rapid changes of the last few years. But the term "resilience" can be difficult to define, and when we define it, we may limit its scope, missing the big picture.In the age of generative artificial intelligence (gen AI), the prevalence of breach data from infostealers and the near-constant…

November 21, 2024

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2025 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature