The latest WordPress version (4.2, released on Thursday) and several earlier ones are vulnerable to a stored cross-site scripting (XSS) vulnerability that can be exploited to inject JavaScript in WordPress comments.

Surprise, surprise, another WordPress issue is on our hands.

“If [the script is] triggered by a logged-in administrator, under default settings the attacker can leverage the vulnerability to execute arbitrary code on the server via the plugin and theme editors,” researcher Jouko Pynnönen of Finnish security company Klikki Oy explained in a security advisory published on Sunday.

“Alternatively the attacker could change the administrator’s password, create new administrator accounts, or do whatever else the currently logged-in administrator can do on the target system.”

“The vulnerability bears a similarity to the one reported by Cedric Van Bockhaven in 2014 (patched this week, after 14 months). Instead of using an invalid UTF-8 character to truncate the comment, this time an excessively long comment text is used for the same effect,” Pynnönen pointed out.

“If the comment text is long enough, it will be truncated when inserted in the database. The truncation results in malformed HTML generated on the page.”

  • association_icon

    Association Growth

    Strategy. Tactics. Execution. Growth.

  • cyber_icon

    Cyber Security

    Securing Organizations From The Inside Out.

  • grc_icon

    GRC Services

    Business Compliance Solved.