Researchers have offered more detail on a recently patched vulnerability that would allow an attacker to take over a WordPress site using something as simple as a maliciously crafted comment.
Discovered by RIPS Technologies, the flaw is a cross-site request forgery (CSRF) flaw that exists on any site running version 5.1 or earlier with default settings and comments enabled.
The problem at the heart of this flaw is the problem of how WordPress protects itself (or rather, doesn’t) from CSRF-based takeovers in comments.
CSRF attacks happen when an attacker hijacks an authenticated user session so that the malicious instructions appear to come from that user’s browser.
In the case of the latest flaw, all the attacker has to do is lure a WordPress admin to a malicious website serving a cross-site scripting (XSS) payload.
Websites defend themselves against CSRF in different ways, but the complexity of the task means there are always cracks attackers can slip through.
From the report:
WordPress performs no CSRF validation when a user posts a new comment. This is because some WordPress features such as trackbacks and pingbacks would break if there was any validation. This means an attacker can create comments in the name of administrative users of a WordPress blog via CSRF attacks.
The full sequence is somewhat involved but, if executed, would be bad news.
Writes RIPS Tech’s Simon Scannell:
As soon as the victim administrator visits the malicious website, a CSRF exploit is run against the target WordPress blog in the background, without the victim noticing. The CSRF exploit abuses multiple logic flaws and sanitization errors that when combined lead to Remote Code Execution and a full site takeover.
What to do
The solution is to update WordPress to version 5.1.1, which appeared on 12 March with a fix for this flaw. If auto-updating is not turned on, it’s the usual drill: visit Dashboard > Updates and click Update.
A more extreme solution would be to disable comments entirely while remembering to log out of WordPress admin before visiting other websites.
You can see a related example of this class of attack in a recently patched CSRF flaw affecting Facebook.