New security updates released for the WordPress content management system and one of its popular plug-ins fix cross-site scripting (XSS) vulnerabilities that could allow attackers to take control of websites.
The WordPress development team released Thursday WordPress 4.0.1, 3.9.3, 3.8.5 and 3.7.5 as critical security updates.
Such a rogue operation can be the creation of a second WordPress administrator account with an attacker-specified password. What makes things worse is that the flaw can typically be exploited without authentication, because the action of posting a comment on a WordPress blog does not require an account by default.
The comment XSS vulnerability only affects WordPress 3.9.2 and earlier versions, not WordPress 4.0. However, the 4.0.1 update, as well as the 3.x ones, also address three other XSS flaws that can be used to compromise WordPress sites if the attacker has access to a contributor or author account on them.
The new releases also fix a cross-site request forgery flaw that could be used to trick a user into changing their password, as well as a denial-of-service issue.
Separately, the developers of WP-Statistics, a WordPress plug-in that gathers and displays visitor statistics, issued an update to fix a high-risk XSS flaw that's similar to the ones fixed in the content management system itself.
The Sucuri researchers were able to leverage the flaw to create a new admin account on a test site.
Users of WP-Statistics are advised to update to version 8.3.1 of the plug-in as soon as possible in order to protect their sites. WP-Statistics has been downloaded over 830,000 times from the official WordPress plug-in repository.
WordPress sites are frequently targeted by cybercriminals who rely on compromised legitimate sites for many of their malicious activities, from hosting spam and malware to launching drive-by download attacks against Web users.