Warning about unpatched XSS security vulnerabilities in WordPress
According to a warning source from the HVA group, WordPress is sticking with the Stored XSS security vulnerability extremely seriously in the comments and posts section (specifically in the article's title). I confirmed it by testing with WordPress 4.6.1 version on Localhost.
The vulnerability affects versions 4.6.1 or below (ie including the latest version). Currently, WordPress has not had any updates.
With these two XSS vulnerabilities, hackers can download the web-shell onto your website. Watch the demo video in this article to visualize the level of danger.
To fix the vulnerability. You can disable comments by visiting Discussion Settings :
http://your-site.com/wp-admin/options-discussion.php
And uncheck the box "Allow people to post comments on new articles" (Allow people to post comments …)
However, it only blocks the attack from commenting. As for the article title, the Admin and collaborators have the right to post, so they are not worried. But maybe some bad collaborators want to take over as Admin, then …
Plugin helps protect your WordPress page
Join the largest Web programming community in Vietnam: Vietnamwebsummit.com
For these reasons, I created a temporary patch while waiting for the WordPress Team to update: https://github.com/J2TeaM/wordpress-xss-patch
This plugin will hook into the comment section and post the article to filter the data before saving to Database as well as when printing comments to the article page. That helps the malicious code inserted by the hacker cannot be executed .
Just download it, visit the new plugin installation page: http://your-site.com/wp-admin/plugin-install.php
Click the Upload Plugin button and browse to the .zip file you downloaded.
After uploading, don't forget the Activate (activation) plugin for the patch to take effect! ?
Share with your friends who are using WordPress !