JetPack and TwentyFifteen Vulnerable to DOM-based XSS
Any WordPress Plugin or theme that leverages the genericons package is vulnerable to a DOM-based Cross-Site Scripting (XSS) vulnerability due to an insecure file included with genericons. The JetPack plugin (reported to have over 1 million active installs) and the TwentyFifteen theme (installed by default) are found to be vulnerable. The exact count is difficult to measure, but both the plugin and theme are default installs in millions of WordPress installs.
The main issue here is the genericons package, so any plugin that makes use of this package is potentially vulnerable if it includes the example.html file that comes with the package.
The interesting thing about this attack is that it was detected it in the wild days before disclosure. We got a report about it and some of our clients were also getting reports saying they were vulnerable and pointing to:
Example
x http:// site.com/wp-content/themes/twentyfifteen/genericons/example.html#1<img/ src=1 onerror= alert(1)>
In this proof of concept, the XSS printed a javascript alert, but could be used to execute javascript in your browser and take over the site if you are logged in as admin.
Remove the genericons/example.html file
Fortunately, the fix for this one is pretty straight forward. Remove the unnecessary genericons/example.html file or make sure you have a WAF or IDS that is blocking access to it.
A few quick tips for all our WordPress hosting customers.
1. Ideally, these files should be in the following or similar locations, from where you can remove those.
wp-content/themes/twentyfifteen/genericons/example.html
wp-content/plugins/jetpack/_inc/genericons/genericons/example.html
2. If you’ve had a developer set up your website, who has done a lot of customizations, there’s a slight chance that he/she could have changed the filename of example.html or used part of the code for their own plugin customisations. You might want to get this checked with your developer, in that case.
3. Reports so far suggest it’s only affected the twentyfifteen theme. The problem is specifically in this JQuery call: jQuery(document).ready(function() where the window.location.hash.split(‘#’)[1] is unsanitized.
4. The theme/plugin need not necessarily be active in your dashboard for it to be a threat. Even inactive ones could still have the files in there. Please make sure you audit all your themes/plugins and remove all unused/unattended ones, while you remove the example.html file from your website files.
5. Just like in every other case, the key point is keeping everything updated on your website – all applications/themes/templates/plugins/extensions and removing all unused/unwanted/unattended ones.