According to the web security website Sucuri, any WordPress plugin or
theme that uses the popular genericons package could be at risk of a
DOM-based Cross-Site Scripting (XSS) vulnerability.
Both the JetPack plugin (which has more than 1 million active users) and
the TwentyFifteen theme (which is WordPress’s current default theme) use
genericons. The threat has been identified in the example.html file that
comes with the package.
Eliminating the Threat
The quick fix is to remove the example.html file from the genericons
package, which you don’t need anyway.
Sucuri said it detected this vulnerability before it ever became active,
so it hasn’t done any known damage so far. Due to the website’s wicked
fast response time, the threat level to WordPress users isn’t considered
serious. But the site warned that it would be easy for the vulnerability
to be exploited.
Sucuri reached out to the most popular web hosting services and notified
them of this vulnerability and gave them the patch they needed to
eliminate it. So if you use any of these services, you already have the
virtual patch you need to protect yourself:
But if your site is hosted by a different company, you may need to
manually fix the issue yourself. All you have to do, according to
Sucuri, is go to the genericons directory and delete the example.html
file and you will be completely protected.
Who Is Responsible?
How the vulnerability got there in the first place and what its
designers’ intentions were is not known. It’s strange that Automattic
and the WordPress team would leave a simple example.html file in the
genericons directory. Was this simply an oversight or something more
sinister? At the moment, we don’t have a good answer for that question.
Here’s a wonky description of what it does from the group OWASP:
“DOM-Based XSS is an XSS attack wherein the attack payload is executed
as a result of modifying the Document Object Model (DOM) “environment”
in the victim’s browser used by the original client side script, so that
the client side code runs in an “unexpected” manner. That is, the page
itself (the HTTP response that is) does not change, but the client side
code contained in the page executes differently due to the malicious
modifications that have occurred in the DOM environment.”
What that means, I don’t know. But I do know that the XSS payload is
never sent to the server side and is executed entirely at the browser
level. So even if your website has a firewall, it can’t do anything
about the vulnerability because it doesn’t ever see it. While it’s
possible to patch the exploit, DOM-based XSS can be very difficult to
A Close Shave
But they also are more difficult for hackers to exploit because they
require a high level of social engineering to get people to click on the
exploited link. But if hackers can get someone to click through, it
provides the same level of access as other types of XSS attacks.
browser and take over any site you are logged onto as the admin.
Had this exploit not been caught, it could have had a devastating impact
on unsuspecting website owners and businesses alike.
In any case, if you remove the example.html from the genericons
directory, you should be okay for now.