Tutorial

How To Protect your WordPress Site from the Genericons Example.html XSS Vulnerability

Published on May 7, 2015
How To Protect your WordPress Site from the Genericons Example.html XSS Vulnerability

Introduction

On May 6th, 2015, a critical WordPress bug was disclosed that potentially affects millions of users. The vulnerability, which actually stems from components that make use of the “Genericons” icon font package, can leave your site open to cross-site scripting (XSS) attacks.

In this article, we’ll explain the impact of the vulnerability, how to check if your site is vulnerable, and what actions you should take if you find that you are affected.

Explanation of the Vulnerability

The actual vulnerability is present in a font package called “Genericons” and not the core WordPress installation. Unfortunately, this font package is used by “TwentyFifteen”, the theme installed and enabled in WordPress by default. The vulnerability also affected a popular WordPress customization and enhancement plugin called “JetPack”, which has over one million active installations, and possibly plugins and themes as well.

The vulnerability exists in a single file called example.html which is included in the Genericon package. This is a non-essential file which was included to showcase the font. However, it includes a jQuery snippet that introduces a vulnerability potentially allowing DOM-based cross-site scripting exploits. Any themes or plugins that used the more modern versions of the “Genericons” package without removing this file were vulnerable.

A DOM-based cross-site scripting attack works by altering the DOM environment as interpreted by a user’s browser, causing the scripted actions to execute in a way contrary to their original design. In order to exploit the vulnerability, a user must be enticed to click a specially crafted link while logged into a WordPress installation. If an application has this type of vulnerability, the server cannot easily prevent unwanted behavior because the actions occur within the browser itself. Fortunately, removing the vulnerability is trivial in this case.

Does My Server Have this Vulnerability?

On May 7th, 2015, WordPress 4.2.2 was released, which patches this issue. If you installed or updated to the latest version of WordPress on or after this date, your installation should be secured. Any DigitalOcean Droplets that have been created from the WordPress one-click on or after this date should not be vulnerable.

If you are operating a WordPress instance that was installed prior to this date and have not updated to 4.2.2, your site may be vulnerable. If so, your admin panel will display a warning that looks like this:

WordPress update warning

You can also go to your server’s document root and look for the example.html files themselves. For instance, if you are in your server’s document root, you can type:

  1. find . -path "*/genericons/example.html"

The results will look something like this:

find output
./wp-content/themes/twentythirteen/genericons/example.html ./wp-content/themes/twentyfifteen/genericons/example.html ./wp-content/themes/twentyfourteen/genericons/example.html

In the above example, an example.html file was found in the TwentyFifteen theme, indicating that this installation is vulnerable. The example.html files within the other themes shown here are not actually vulnerable as they do not include the offending jQuery lines. Look for example.html files within the twentyfifteen/genericons directory or within any plugins you might have.

How to Patch your Installation

The recommended way to patch your system is simply to upgrade WordPress. This will not only secure your system against this vulnerability, but also any other issues that may have been fixed.

If your permissions allow it, you can usually upgrade your installation using the admin panel update controls. You may see this option as a link on the main page (as shown in the previous screen shot). If not, you can go to the “Updates” option in the control panel and click on the “Update Now” button:

WordPress update now

You will also likely have to update your themes and plugins separately.

Although we highly recommend that you update WordPress completely (along with any affected themes or plugins), you can also easily manually delete the offending files.

To do so, log into your WordPress server and navigate to your document root directory. You can remove the offending files by typing:

  1. sudo find . -path "*/genericons/example.html" -exec rm -f {} \;

You can then check your directory structure again:

  1. find . -path "*/genericons/example.html"

All of the example.html instances within a genericons directory should be removed.

Conclusion

While the number of users that were vulnerable to this bug was very high, the fix is very straight forward and can be accomplished through the normal WordPress update method. If you have manage WordPress installations for your own purposes or for clients, the patch available in 4.2.2 will close this vulnerability easily. As always, one of the best methods to keep your WordPress installations secure is to ensure that you apply any security updates immediately.

Thanks for learning with the DigitalOcean Community. Check out our offerings for compute, storage, networking, and managed databases.

Learn more about our products

About the authors

Still looking for an answer?

Ask a questionSearch for more help

Was this helpful?
 
Leave a comment


This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Try DigitalOcean for free

Click below to sign up and get $200 of credit to try our products over 60 days!

Sign up

Join the Tech Talk
Success! Thank you! Please check your email for further details.

Please complete your information!

Become a contributor for community

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

DigitalOcean Documentation

Full documentation for every DigitalOcean product.

Resources for startups and SMBs

The Wave has everything you need to know about building a business, from raising funding to marketing your product.

Get our newsletter

Stay up to date by signing up for DigitalOcean’s Infrastructure as a Newsletter.

New accounts only. By submitting your email you agree to our Privacy Policy

The developer cloud

Scale up as you grow — whether you're running one virtual machine or ten thousand.

Get started for free

Sign up and get $200 in credit for your first 60 days with DigitalOcean.*

*This promotional offer applies to new accounts only.