Four-year-old comment security bug affects 86 percent of WordPress sites (Ars Technica)
Ars Technica reports
on a recently discovered bug in WordPress 3 sites that could be used to
launch malicious script-based attacks on site visitors’ browsers.
"The vulnerability, discovered by Jouko Pynnonen of Klikki Oy, allows
an attacker to craft a comment on a blog post that includes malicious
JavaScript code. On sites that allow comments without authentication—the
default setting for WordPress—this could allow anyone to post malicious
scripts within comments that could target site visitors or
administrators. A proof of concept attack developed by Klikki Oy was able
to hijack a WordPress site administrator’s session and create a new
WordPress administrative account with a known password, change the current
administrative password, and launch malicious PHP code on the server. That
means an attacker could essentially lock the existing site administrator
out and hijack the WordPress installation for malicious purposes."
WordPress 4.0 is not vulnerable to the attack.