Skip to main content

WordPress vulnerability affects millions of sites, and yours could be next

wordpress vulnerability affects millions of sites and yours could be next n6yxinh
Image Credit: WordPress
According to a post by the security research team at Sucuri, millions of WordPress websites could be at risk for exploitation thanks to a defect in a popular theme included in the default setup.

The exploit feeds off an XSS vulnerability known as a “DOM-Based XSS,” or Document Object Model. According to the independent vetting agency, DOMs are used to teach a browser how to display headers, images, text, or links that are displayed inside a WordPress loadout theme.

The theme (called “Twenty Fifteen” despite the fact that it was released last year), is installed by default in all core builds of the current WordPress distribution, making it an especially large target for any hackers who want to catch the biggest fish they can with the smallest net.

The crack digs its claws in when a site administrator clicks a malicious link either in their email or on a phishing website while logged into WordPress, enabling an automatically scan of the server for a potential hole to get in.

What makes this especially worrisome is the fact that the bug doesn’t need your site to be running a version of Twenty Fifteen for it to be a problem. Because the theme is included in the database of every rollout, it’s automatically a given that you could be hacked.

If you own a WordPress site (regardless of the version installed), you should use the query tool to check and see if you might be vulnerable to an attack.

The larger domain hosts such as GoDaddy and ClickHost have already scrubbed through their subscriber base and removed any traces of the bug, but in case you’re either running an independent server, or your host isn’t listed here, be sure to make the change yourself to immunize you or your users from the threat.

Editors' Recommendations

Chris Stobing
Former Digital Trends Contributor
Self-proclaimed geek and nerd extraordinaire, Chris Stobing is a writer and blogger from the heart of Silicon Valley. Raised…
No, Intel’s Lunar Lake CPUs aren’t being delayed
Intel keynote.

Intel's hotly-anticipated Lunar Lake CPUs look like they're suffering a delay, at least according to a report from DigiTimes. The outlet, which covers semiconductor news, says that shipments of the chips are arriving in September and that they were originally planned for June. Intel says otherwise, however.

When Intel first announced Lunar Lake, it said they would arrive between July and September of this year. More specifically, the company pointed out that they'd be available before the holiday shopping season. If June was the original plan, we'd already have a lot more details about the processors. It looks like September was the target all along.

Read more
Hacker claims to have hit Apple days after hacking AMD
The Apple logo is displayed at the Apple Store June 17, 2015 on Fifth Avenue in New York City

Data breaches happen all the time, but when the giants get hit, it's impossible not to wonder what kind of critical data may become exposed. Earlier this week, notorious cybercriminal Intelbroker reported that they managed to hack AMD. Now, they followed up with claims about hacking Apple, and went as far as to share some internal source code on a hacking forum.

As Apple has yet to comment, all we have to go off is the forum post, first shared by HackManac on X (formerly Twitter). In the post, Intelbroker states that Apple suffered a data breach that led to the exposure of the source code for some of its internal tools. The tools include AppleConnect-SSO, Apple-HWE-Confluence-Advanced. There's been no mention of any customer data being leaked, which is good news, but there could still be some impact on Apple if this proves to be true.

Read more
Alexa to get supercharged with AI
Alexa can now handle multiple requests in a list.

Siri isn't the only digital assistant getting an AI update in the near future. According to sources speaking to Reuters, Amazon is reportedly planning an expansive update for its decade-old digital conversationalist that would implement a two-tier service subscription that could cost users $5 t0 $10 per month.

The new voice assistant, dubbed "Remarkable Alexa" per the sources, could arrive as soon as August 2024. The project, code-named "Banyan" after the species of large ficus tree, has become something of a pet project for CEO Andy Jassy, who promised a “more intelligent and capable Alexa” to shareholders in an April letter. The sources warned, however, that the rumored pricing and release dates could shift as we get closer to August, depending on how well the project comes together prior to that deadline.

Read more