A vulnerability within two widely used WordPress plugins is already being exploited by hackers, putting millions of WordPress sites at risk, according to a computer security firm.
The plugins are JetPack, a customization and performance tool, and Twenty Fifteen, used for infinite scrolling, wrote David Dede, a malware researcher with Sucuri. WordPress installs Twenty Fifteen by default, which increases the number of vulnerable sites.
Both plugins use a package called genericons, which contains vector icons embedded in a font. In the package, there is an insecure file called “example.html” which makes the package vulnerable, Dede wrote.
The vulnerability in genericons is hard to detect, Dede wrote. It’s an XSS (cross-site scripting) flaw in which the malicious payload runs as a result of modifying a browser’s DOM (Document Object Model), which is a programming API that defines how HTML and XML documents are accessed and displayed, according to the W3C.
Read the Full Article: Source – Computer World
http://www.computerworld.com/article/2919855/security/attackers-exploit-vulnerabilities-in-two-wordpress-plugins.html
Leave a Reply
You must be logged in to post a comment.