Millions of WordPress websites are at risks of being completely hijacked by the hackers due to a critical cross-site scripting (XSS) vulnerability present in the default installation of the widely used content management system.

The cross-site scripting (XSS) vulnerability, uncovered by the security researcher David Dedes from Web security firm Sucuri.

Wordpress vulnerability resides in Genericons webfont package that is part of default WordPress Twenty Fifteen Theme.


The XSS vulnerability has been identified as a "DOM-based," which means the flaw resides in the document object model (DOM) that is responsible for text, images, headers, and links representation in a web browser.

The easy-to-exploit DOM-based Cross-Site Scripting (XSS) vulnerability occurred due to an insecure file included with Genericons that allowed the Document Object Model Environment in the victim’s browser to be modified.

What’s DOM-Based XSS attack?

In DOM-Based Cross-Site Scripting attack, the payload executes in the DOM (Document Object Model) instead of part of the HTML in the victim’s browser,

This means the page itself does not change, but the client side code contained in the page executes in a different manner due to the malicious modifications in the DOM environment.

DOM-based Cross-Site Scripting vulnerabilities are much harder to detect than classic XSS flaws because they reside in the script code from the website.

DOM-based XSS vulnerability allows hackers to steal or hijack your session, carry out very advanced phishing attacks.

The vulnerability is actively being exploited in the wild and so far, the researcher has discovered JetPack plugin and Twenty Fifteen theme to be vulnerable to a DOM-based XSS attack. Apparently, any WordPress plugin that comes with the Genericons package is potentially vulnerable to the attack.

JetPack is a popular WordPress plugin with more than 1 Million download. The plugin is bundled with many useful features including customization, traffic, mobile, content, and performance tools, which makes managing a WordPress site a whole lot easier.

How to hijack a WordPress website?

Generally, a DOM-based XSS attack requires an administrator to click on a malicious link while logging into a vulnerable WordPress installation and once clicked, the hackers can gain full control of the vulnerable website.



Measure to protect your WordPress website:

Administrators of WordPress sites should check if their site is running the Genericons package.

In case it is running, they should either immediately delete the example.html file that is included with the package, or at least, make sure that their web application firewall or intrusion detection system is blocking access to it.

Sucuri has contacted and informed almost a dozen Web hosts who have already virtually patched the vulnerability on their websites they host.

The hosts include GoDaddy, ClickHost, Inmotion, HostPapa, DreamHost, WPEngine, Pagely, Pressable, SiteGround, Websynthesis, and Site5.