Millions of WordPress websites are at risks of being completely hijacked by the hackers due to a critical cross-site scripting (XSS) vulnerability present in the default installation of the widely used content management system.
The cross-site scripting (XSS) vulnerability, uncovered by the security researcher reported by Robert Abela of Security firm Netsparker.
Wordpress vulnerability resides in Genericons webfont package that is part of default WordPress Twenty Fifteen Theme.
Here comes the threat:
The XSS vulnerability has been identified as a "DOM-based," which means the flaw resides in the document object model (DOM) that is responsible for text, images, headers, and links representation in a web browser.
The easy-to-exploit DOM-based Cross-Site Scripting (XSS) vulnerability occurred due to an insecure file included with Genericons that allowed the Document Object Model Environment in the victim’s browser to be modified. Read Full Article