GoFuckYourself.com - Adult Webmaster Forum

GoFuckYourself.com - Adult Webmaster Forum (https://gfy.com/index.php)
-   Fucking Around & Business Discussion (https://gfy.com/forumdisplay.php?f=26)
-   -   [!] - Wordpress - JetPack, TwentyFifteen and others (https://gfy.com/showthread.php?t=1166244)

MrGusMuller 05-07-2015 09:10 AM
[!] - Wordpress - JetPack, TwentyFifteen and others
 
Quote:
Any WordPress Plugin or theme that leverages the genericons package is vulnerable to a DOM-based Cross-Site Scripting (XSS) vulnerability due to an insecure file included with genericons. So far, the JetPack plugin (reported to have over 1 million active installs) and the TwentyFifteen theme (installed by default) are found to be vulnerable.
...

Quote:
but if you do not have a WAF or IPS protecting your site, we highly recommend removing the example.html from inside the genericons directory.
https://blog.sucuri.net/2015/05/jetp...based-xss.html

cybermike 05-07-2015 09:10 AM
Getting annoying wordpress!

MrBottomTooth 05-07-2015 09:16 AM
So was this something fixed in the last update or something new?

Bladewire 05-07-2015 09:18 AM
Quote:
Originally Posted by MrBottomTooth (Post 20468864)
So was this something fixed in the last update or something new?
I assume it's new because WP auto updated last night to 4.2.2 :)

MrGusMuller 05-07-2015 10:17 AM
If you have the following files on ur WP you aren't safe.
wp-content/themes/twentyfifteen/genericons/example.html
wp-content/plugins/jetpack/_inc/genericons/genericons/example.html

EVEN if twentyfifteen and jetpack are disable you are compromised.

If you've updated WP core to 4.2.2, it should have removed these files for you automatically.


Peace


All times are GMT -7. The time now is 06:20 AM.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2025, vBulletin Solutions, Inc.
©2000-, AI Media Network Inc123