Light Dark
July 29, 2015 By Douglas Bonderud 2 min read

Another WordPress iteration is now publicly available. Version 4.2.3 was released on July 23 and contains a number of security fixes — including one to address a potentially devastating cross-site scripting (XSS) vulnerability, the WordPress blog explained.

XSS Vulnerability Aims for a Large Target

This isn’t the first time WordPress has addressed a potentially disastrous flaw, and it won’t be the last; determined attackers are constantly looking for ways to compromise this popular content management system (CMS). As noted by PC World, for example, more than 50,000 sites were compromised in 2014 thanks to a PHP backdoor in the MailPoet Newsletter plugin, while XSS affected a host of plugins earlier this year.

According to SC Magazine, the newest WordPress release, version 4.2.3, specifically addresses a XSS vulnerability that could be used to compromise an affected website. Doing so would require users with contributor or author credentials to use “specially crafted shortcodes to bypass kses protection by tricking it into thinking dangerous parts are part of valid HMTL.” The result? With the right privileges, malicious actors could run JavaScript code on the front end of a website and take total control.

Smaller Issues Plague the Platform

The new update also addresses 20 other nonsecurity issues along with a smaller-scale security flaw that gave users with subscriber permissions the ability to create posts using the Quick Draft feature. While there’s no chance of website failure or takeover here, the possibility of malicious posts slipping through the cracks could spell disaster for large, well-branded companies leveraging WordPress for any part of their marketing efforts.

Imagine the havoc if an unsolicited, unapproved and completely inappropriate blog post appeared on the domain of a major retailer or financial institution. While there would be no actual harm to networks or data, the impact on social capital or reputation could be devastating.

Continuing Cycle

As noted by Computerworld, part of the reason for the never-ending WordPress patch cycle goes beyond big vulnerabilities to target cybercriminals who may use WordPress sites as jumping-off points for other attacks. Once compromised, websites running this free CMS can be used to host malware or even carry out distributed denial-of-service (DDoS) attacks, removing the need for attackers to go after their primary target by force. Here, the sheer number of WordPress sites helps to obscure the nature and severity of an attack and explains why the company’s security teams are diligent in tracking down even minor bugs.

XSS is the current vulnerability of choice for WordPress attackers, but as evidenced by July’s 4.2.3 release and May’s 4.2.2 — both of which targeted XSS flaws — the CMS is making every effort to cross out this problem permanently.

 |  |  | 
Douglas Bonderud
Freelance Writer

More from

December 23, 2024

FYSA – Adobe Cold Fusion Path Traversal Vulnerability

2 min read - Summary Adobe has released a security bulletin (APSB24-107) addressing an arbitrary file system read vulnerability in ColdFusion, a web application server. The vulnerability, identified as CVE-2024-53961, can be exploited to read arbitrary files on the system, potentially leading to unauthorized access and data exposure. Threat Topography Threat Type: Arbitrary File System Read Industries Impacted: Technology, Software, and Web Development Geolocation: Global Environment Impact: Web servers running ColdFusion 2021 and 2023 are vulnerable Overview X-Force Incident Command is monitoring the disclosure…

November 22, 2024

What does resilience in the cyber world look like in 2025 and beyond?

6 min read -  Back in 2021, we ran a series called “A Journey in Organizational Resilience.” These issues of this series remain applicable today and, in many cases, are more important than ever, given the rapid changes of the last few years. But the term "resilience" can be difficult to define, and when we define it, we may limit its scope, missing the big picture.In the age of generative artificial intelligence (gen AI), the prevalence of breach data from infostealers and the near-constant…

November 21, 2024

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2025 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature