WordPress zero day vulnerability on comment text patched in 4.2.1

Many readers have likely heard by now that WordPress 4.2.1 is out (and probably already patched on your installs). The patch is in response to a zero day vulnerability reported by Jouko Pynnönen of Klikki.

WordPress 4.2.1 includes a check on the number of characters in the content of comments to prevent truncation of the comment in the database.

The truncation results in malformed HTML generated on the page. The attacker can supply any attributes in the allowed HTML tags, in the same way as with the two recently published stored XSS vulnerabilities affecting the WordPress core.

The vulnerability was published as a zero day, meaning there was not a coordinated effort to have a patch ready as the security vulnerability was recognized. The Klikki blog claims, “WordPress has refused all communication attempts about our ongoing security vulnerability cases since November 2014.” However, it’s not clear in their post that this particular vulnerability has been previously reported. Nevertheless, it appears there was a communications mess between the WordPress security team and Klikki.

The patch and subsequent point release were out in a matter of hours after the vulnerability was disclosed. Additionally, anyone that was running Akismet was already safe, as were installs that did not have comments enabled. This was a serious vulnerability with as many or more ways to not be vulnerable as to be.

It’s a tough start for WordPress 4.2, and it’s been a tough few days for WordPress security as a whole, as this happened on the heels of last week’s security release and recent coordinated plugin security updates.

It’s understandable that some are lead to pose the question: Is WordPress safe? Morten Rand-Hendriksen answers the question beautifully on the Lynda blog.

The answer is complicated, but in simple terms, yes. WordPress is one of the safest tools you can use to power your website, and if you’re keeping your installation up to date and hosting it on a safe server, you’ll be about as safe as you can be.

Does that mean WordPress is 100% secure? No. But compared to the competition and to a site or application you built from scratch, it will always be more secure, simply because the WordPress community is always working to make it more secure.

For all the vulnerability popularity brings, there is profound safety in the numbers of the WordPress community.

No doubt, there will be more flaws in the WordPress codebase uncovered; it’s simply too ripe a target. But WordPress has so many people that care for this project and it’s in great hands. Today’s response to a far from ideal situation shows that.