Millions of WordPress websites are at risk due to the exploitation of a vulnerability within two widely used WordPress plugins. The plugins are “JetPack”, a customization and performance tool, and “Twenty Fifteen”, used for infinite scrolling. WordPress installs “Twenty Fifteen” by default, which increases the number of vulnerable sites. Both plugins use a package called genericons, which contains vector icons embedded in a font. In the package, there is an insecure file called example.html which makes the package vulnerable. The vulnerability in genericons is hard to detect. It is an XSS (cross-site scripting) flaw in which the malicious payload runs as a result of modifying a browser’s DOM (Document Object Model), which is a programming API that defines how HTML and XML documents are accessed and displayed. The payload that is delivered is executed directly in the browser and does not go to the server. That means Web application firewalls cannot see it and stop it.
The information provided herein is on "as is" basis, without warranty of any kind.
Mauritian Computer Emergency Response Team (CERT-MU)
National Computer Board
7th Floor, Stratton Court
La Poudriere Street