Categories
Web Security

WORDPRESS SECURITY ALERT: Widespread XSS Vulnerability Exists

WordPress Security Alert For Churches

[slogan size=”small”]UPDATE: This WordPress security alert is a general community announcement for all churches using WordPress version 4.2 and earlier to run their website.[/slogan]

Anyone running a website on WordPress version 4.2 and earlier should be made aware of this problem, and must take immediate action to ensure their site is secure.

In “geek speak”, a cross-site scripting, or XSS, vulnerability affecting multiple WordPress themes and plugins exists.

In simple terms, a WordPress security threat exists that could potentially be used by attackers to gain unauthorized access to your Web pages or entire website.

What is Cross-site Scripting?

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. Cross-site scripting carried out on websites accounted for roughly 84% of all security vulnerabilities documented by Symantec as of 2007.[1] Their effect may range from a petty nuisance to a significant security risk, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site’s owner. —Source: Wikipedia

This Cross-site Scripting Wikipedia article includes simple examples of different kinds of attacks and things an attacker could accomplish if successful in exploiting this vulnerability. It’s definitely an eye-opening read.

What should you do?

This WordPress security vulnerability is widespread, so it’s impossible to know precisely which themes and plugins have been affected.

An April 20, 2015 WordPress security advisory on the Sucuri Blog advises users to do the following:

  • Keep your site updated
  • Restrict access control
  • Monitor your logs
  • Use only plugins you need
  • Scan your site for indicators of compromise
  • Put a system in place to block the most common forms of XSS exploits

Immediate action I’m taking

I’m sure to apply updates to our theme and plugins as soon as they’re released, so we’re good there. So, here’s what I’ll be doing right away:

  1. Installing and running Sucuri’s WordPress security plugin
  2. Checking my church’s theme and plugin changelogs (yes, each and every one) to determine if and when the plugin was updated against this vulnerability
  3. Deactivating and uninstalling any plugins we do not use or that aren’t absolutely necessary for running our website

Then, I’ll continue to do what I’ve been doing: keeping an eye on logs, restricting access, performing weekly backups, applying updates immediately, and generally do all I can to keep our church’s website safe and stay ahead of threats.

For further reading

Cross-scripting article on Wikipedia

Security Advisory: XSS Vulnerability Affecting Multiple WordPress Plugins

Joost de Valk (Yoast): Security Updates For Our GA and SEO Plugins & Many Others

WP Tavern: XSS Vulnerability Affects More Than a Dozen Popular WordPress Plugins