Nettitude has recently observed multiple attacks utilising existing and known vulnerabilities in the WordPress blogging and publishing platform. The issue, described in the accompanying threat advisory, allows an attacker whom is able to post content to a WordPress installation, such as via a comment or blog entry, to craft a message that will bypass data sanitisation methods and potentially inject arbitrary JavaScript into the website. When a user views a page that contains this specially crafted message, the attacker’s JavaScript is able to interact with the site as if it were that user. This is referred to as a Cross-Site scripting (XSS) vulnerability.
In a typical use-case, many WordPress blogs allow comments to be submitted either anonymously or after a loose registration process. An attacker taking advantage of this would be able to post a specially crafted message that will eventually be loaded into the web browser of a user with administration rights (whether this is in the blog entry, a moderation queue or spam filter is irrelevant). This message creates a full-screen, transparent object which sits on top of all other window elements and executes the attacker’s payload when the mouse moves over it.
The XSS payload described – if triggered by a logged in user with appropriate permissions – will compromise the website in the following ways:

  • A new administration user will be added
  • The server will have a back-door installed
  • WordPress SPAM filtering will be rendered non-functional
  • The viewing user’s cookie stolen and potentially used for later session hijacking

To download a copy of Nettitude’s threat advisory ‘WordPress MouseOver’, please click here!
To contact Nettitude’s editor, please email