Skip to main content

Are you a legal professional? Visit our professional site

Search for legal issues
For help near (city, ZIP code or county)
Please enter a legal issue and/or a location

WordPress 3.x Security Warning: Malicious Code Hidden in Comments

Article Placeholder Image
By William Peacock, Esq. on November 24, 2014 11:45 AM

That annoying comment might be more than spam telling visitors how to solve their intimacy issues, or how to make easy money at home. Instead, it may be malicious code that could hijack your site, lock you out completely, and even take over your server as a whole -- a nightmare for larger companies that store more than a simple webpage on their servers.

Fortunately, the bug, discovered by Finnish IT security company Klikki Oy, was reported to WordPress months before being made public, and security patches are already being automatically (no pun intended) deployed. The bug affects an estimated 86 percent of WordPress sites (those running any unpatched version of WordPress 3 -- version 4.0, which was released in September, are not affected). The exploit uses text input fields, such as the enabled-by-default blog comments feature, to deploy malicious code.

Wait, Malicious Comments?

Exactly. The bug is exploited by posting malicious code in a text-entry field, such as a blog comment field. When a WordPress administrator views the comment, the code is executed in the viewer's web browser, allowing the hacker to perform administrative tasks. According to Klikki Oy:

Such operations - demonstrated by our proof of concept exploits - include creating a new administrator account (with a known password), changing the current administrator password, and in the most serious case, executing attacker-supplied PHP code on the server. This grants the attacker operating system level access on the server hosting WordPress.

That may be gibberish to some, so we'll say this: it is bad. It's like a squatter walking into the back door of your house and changing your locks, all by posting a blog comment.

Already Fixed?

The simplest fix, as always, is to update your WordPress installation. You can do it by logging in and clicking the update button -- WordPress is really easy to keep up-to-date. (As always, backing up before updating is good advice.) If you are holding off for some reason, such as plug-ins or themes that won't play nice with WordPress 4, a security patch is automatically deploying to most sites running 3.7.4, 3.8.4, and 3.9.2. (If you're on anything older than that, you really need to upgrade, as WP does not support older versions.)

If you are already on WordPress 4.0, you'll also want to click the update button: a security update for that version addresses eight other security issues.

Related Resources:

Find a Lawyer

More Options