Millions of websites around the world are in danger of being taken over by hackers because of a vulnerability discovered in the WordPress software used to design them.

WordPress is the most popular content management system on the market and a security form has found a flaw that could allow hackers to hijack any website using the default theme and plugin if the administrator clicks on a malicious link.

Researcher David Dede from security firm Sucuri said that any WordPress theme or plugin that leverages on something called the genericons package is at risk in a blog post published on April 7. That includes the TwentyFifteen theme and plugin, which is the default theme for WordPress, as well as the JetPack plugin.

The vulnerability is caused by a critical Cross-Site Scripting (XSS) flaw in an insecure file that Dede is calling example.html, one that is part of the genericons package. Hackers can gain control of sites relying on these themes using a DOM-based XSS attack. In order to gain access, though, they will need some help from the site administrator. For the attack to work, someone logged in as an administrator to the WordPress site must first click on a malicious link, which would then give the hacker full access to edit or destroy the website as he sees fit.

Luckily, Dede says the fix for the problem is pretty straightforward. You simply need to remove or block access to the example.html file. Sucuri has already notified a number of web hosting companies it works with, so it may be that your site is no longer at risk. Dede says the following web hosting services have already fixed the vulnerability.

• GoDaddy
• HostPapa
• DreamHost
• ClickHost
• InMotion
• WPEngine
• Pagely
• Pressable
• WebSynthesis
• Site5
• SiteGround

WordPress also announced in a blog post that it has released a security update (4.2.2) it labeled critical that apparently eliminates the flaw. The update fixes the Genericons icon font package, used in a number of popular themes and plugins, which contained an HTML file vulnerable to a cross-site scripting attack. The post also noted WordPress versions 4.2 and earlier are affected by a critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site.

Still, the widespread use of WordPress means there are probably millions of sites lying vulnerable to this XSS attack. WordPress holds more than 60 percent of the content management system market and powers roughly one in five of all websites, according to recent statistics.

Photo: Anthony Ryan | Flickr

ⓒ 2021 All rights reserved. Do not reproduce without permission.