In a typical use-case, many WordPress blogs allow comments to be submitted either anonymously or after a loose registration process. An attacker taking advantage of this would be able to post a specially crafted message that will eventually be loaded into the web browser of a user with administration rights (whether this is in the blog entry, a moderation queue or spam filter is irrelevant). This message creates a full-screen, transparent object which sits on top of all other window elements and executes the attacker’s payload when the mouse moves over it.
The XSS payload described – if triggered by a logged in user with appropriate permissions – will compromise the website in the following ways:
- A new administration user will be added
- The server will have a back-door installed
- WordPress SPAM filtering will be rendered non-functional
- The viewing user’s cookie stolen and potentially used for later session hijacking