Posted on

Critical Persistent XSS 0day in WordPress | Sucuri Blog

If you have comments enabled on your WordPress site you may want to disable them until a patch is issued.    Hackers can overload the comments and inject JavaScript-based code into your comment stream.  While this will not likely allow access into your WordPress site, the hackers can use this method to make your website the distribution point for JavaScript code that attacks your site visitors devices.  The most vulnerable users will be those visiting your site using desktops or laptops.

Read about the security issue at the Sucuri blog.

Who’s affected If your WordPress site allows users to post comments via the WordPress commenting system, you’re at risk. An attacker could leverage a bug in the way comments are stored in the site’s database to insert malicious scripts on your site, thus potentially allowing them to infect your visitors with malware, inject SEO spam or even insert backdoor in the site’s code if the code runs when in a logged-in administrator browser. You should definitely disable comments on your site until a patch is mad

Source: Critical Persistent XSS 0day in WordPress | Sucuri Blog