Millions of websites running WordPress are at risk of hijacking attacks thanks to a vulnerability that is actively being exploited in the wild and is present in the default installation of the widely used content management system, security researchers warned Wednesday.
The cross-site scripting (XSS) vulnerability resides in genericons, a package that's part of a WordPress theme known as Twenty Fifteen that's installed by default, according to a blog post published Wednesday by security firm Sucuri. The XSS vulnerability is "DOM based," meaning it resides in the document object model that's responsible for how text, images, headers, and links are represented in a browser. The Open Web Application Security Project has much more about DOM-based XSS vulnerabilities here.
DOM-based XSS attacks require the target to click a malicious link, a limitation that greatly lowers their severity. Still, once an administrator takes bait while logged into a vulnerable WordPress installation, the attackers can gain full control of the site. Sucuri researcher David Dede wrote: