The popular blogging platform has released a security update to mitigate a recently discovered critical zero-day flaw potentially impacting millions of WordPress websites.
Pynnönen explained in a blog post:
“The script is triggered when the comment is viewed. If triggered by a logged-in administrator, under default settings the attacker can leverage the vulnerability to execute arbitrary code on the server via the plugin and theme editors.”
Furthermore, Pynnönen claims the flaw could give an attacker the capability to change the administrator’s password, as well as create new admin accounts.
Although the majority of WordPress vulnerabilities reside within plug-ins, the critical vulnerability appears to be similar to one reported in 2014 by Cedric Van Bockhaven, which was patched 14 months after being reported. The flaw used invalid characters to truncate the comment, as opposed to the massive amounts of text.
WordPress has released version 4.2.1 to fix the issue:
“This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately.”