NEWS FROM THE LAB - Wednesday, October 3, 2012

WordPress Premium Theme XSS Vulnerability Posted by Sean @ 10:20 GMT

On Tuesday, we shared a rather silly video which made a serious point about the need to keep websites secure.

Unfortunately, limiting potential website vulnerabilities is not exactly intuitive. There's always additonal stuff one needs to consider.

For example, let's take the very popular WordPress(.org) publishing platform. WordPress itself does a pretty good job when it comes to maintaining its security. Unfortunately, the same cannot be said for everybody that runs WordPress websites. Many website admins allow their WordPress installations to fall out of date, and there are numerous compromised WordPress sites online as a result.

But even those admins that do keep their platform up to date still have things to worry about, such as themes.

Product security professional and pentester, Janne Ahlberg, has discovered several WordPress themes by Parallelus that are affected by a reflected cross-site scripting (XSS) vulnerability.

Here's a screenshot of the XSS vulnerability demonstrated with the Unite theme:

Para.llel.us Unite

Based on Ahlberg's tests, the XSS vulnerability can be used to execute remote JavaScript. Affected sites include personal blogs, but also corporate websites. You can read more information on his blog: Janne's corner.

And for more information on securing your WordPress installation, see this article: Hardening WordPress.

Update: According to the developer — affected Parallelus themes are now corrected.