3aIT Blog

A new bug has been found in Wordpress that makes it possible for an attacker to gain complete control of a website, and lock the current owners out in the process.

This exploit is triggered by a malicious comment being posted to a website. When an administrator of the site views this message while logged into Wordpress, it then allows the attacker to create their own Wordpress admin user and therefore gain complete control of the website.

This flaw affects ALL Wordpress installs prior to version 4.2.1 (Released yesterday). While disabling the comments can mitigate the problem, it is highly recommended that you install this new version immediately.

Unfortunately for Wordpress users, this news comes hot on the trail of another hugely widespread bug in the popular CMS. While this particular bug didn't affect Wordpress directly, it did affect many of the most popular plugins, including Yoast's SEO, Gravity Forms and Jetpack.

This flaw allows malicious code to be injected browsers via what is knows as "Cross Site Scripting" (XSS). Plugin developers are blaming this issue on poor documentation by the Wordpress team. As ever, ensure that your plugins are kept up-to-date along with your base Wordpress installation.