Thursday, 15 October 2015

Security Advisory: Stored XSS in Akismet WordPress Plugin

Real People. Real Security.

Stored XSS in Akismet WordPress Plugin

During a routine audit for our Web Application Firewall (WAF), we discovered a critical stored XSS vulnerability affecting Akismet, a popular WordPress plugin deployed by millions of installs. This vulnerability affects everyone using Akismet version 3.1.4 and lower with the WordPress "Convert emoticons like :-) and 😛 to graphics on display" option enabled, which is the case by default on any new WordPress installation. 

The issue can be found in the way Akismet deals with hyperlinks present inside the site's comments, which could allow an unauthenticated attacker with good knowledge of WordPress internals to insert malicious scripts in the Comment section of the administration panel. An attack like this could lead to multiple exploitation scenarios, including a full site compromise.
More details on this security advisory can be found here:
 
If you're a Sucuri customer subscribing to our Firewall or Antivirus protection, take a deep breath. You are already safe. If you're not a customer yet, save yourself from anxiety.
Protect Your Site With Sucuri
This email does not mean you are affected!

Being proactive in the protection of your site is of one of the most important aspects of having a solid security posture. Therefore, we feel it's important to research and report on all potential threats as quickly as possible.
Discover How List25 Leverages Sucuri's Website Application Firewall

"I needed a team and a product like the firewall Sucuri offers, which automatically blocks anything malicious. Because of the popularity of the site, List25.com, we cannot afford the site to go down. We changed hosting providers and then turned on the Sucuri Web Application Firewall layer that sits on top at the DNS level. Before using Sucuri I had to mitigate these attacks myself, but now that I'm using Sucuri I don't have to do any of that and that is a big stress reliever for me."
Sincerly,
- Your Sucuri Security Team
Facebook
Facebook
Sucuri
Sucuri
Website
Website
Sucuri Labs
Sucuri Labs
Email
Email
LinkedIn
LinkedIn
Share
Tweet
Forward
Copyright © 2015 Sucuri Security, All rights reserved.
The user subscribes to this list to stay current with the latest in security news.

Our mailing address is:
Sucuri Security
30141 Antelope RD
Suite D, #680
Menifee, CA 92584

Add us to your address book


unsubscribe from this list    update subscription preferences