WordPress users have been advised to check their plugins to make sure that they are not susceptible to a DOM-based cross-site scripting vulnerability associated with the widely used Genericons package.
David Dede, senior malware researcher at security company Sucuri, said that at least two plugins are vulnerable.
“So far, the JetPack plugin (reported to have over one million active installations) and the TwentyFifteen theme (installed by default) are found to be vulnerable. The exact count is difficult to grasp, but both the plugin and theme are default in millions of WordPress installations,” he wrote in a security blog post.
“The main issue here is the Genericons package, so any plugin that makes use of this package is potentially vulnerable if it includes thefile that comes with the package.”
Such attacks are hard to tackle, according to the firm. Sucuri was able to mitigate the threat in tests, and said that DOM-based XSS attacks rely on social engineering and a user clicking on a spiked link.
This is a common and effective method, but users can protect themselves by removing thefile from the Genericons directory.
Sucuri “highly recommends” this course of action, and Dede was slightly critical of the development process.
“We cannot forget one of the basic principles of security, in which we must maintain a pristine environment in production. This means you remove, debug or test files before you move into production,” he said.
“In this case, Automattic and the WordPress team left a simplefile that had the vulnerability embedded. A simple oversight that could have devastating impacts on unsuspecting website owners and businesses alike.”
Samuel Sidler, of the WordPress Theme Review team, said that a number of themes have been updated as a result.
WordPress said that the firm worked quickly to fix the problem. “Earlier today, the core security team shipped new versions of a number of themes that were vulnerable to a cross-site scripting issue due to shipping a Genericons example file,” added Sidler.
“This is the first time we’ve updated themes without notifying the theme authors ahead of time.”