Cross Site Scripting Vulnerability In bbPress — Users Should Update Immediately

bbPressSecurity researchers have released details of a stored cross-site scripting vulnerability in the popular WordPress forum plugin bbPress. The vulnerability could potentially be used by an attacker to inject arbitrary JavaScript into pages on a bbPress site. The code could be executed on users’ browsers, creating a number of security issues, including the ability to exfiltrate authentication credentials.

All versions of bbPress prior to 2.5.9 are vulnerable. Users of older versions of bbPress should update immediately. Because the vulnerability was publicly disclosed following the release of a patch, malicious third-parties are aware of it, and the chances are high that bbPress sites will come under attack.

The vulnerability was first reported to bbPress developers on April 12th. A patched security release was made available on May 2nd.

Sites that actively encourage user-generated content are often vulnerable to cross-site scripting attacks. Because such sites take arbitrary user input and display it on web pages, there’s a risk that malicious users could include JavaScript as part of their input. JavaScript in web pages is automatically trusted and executed by browsers.

Developers use a number of techniques to make sure that this doesn’t happen. Data is filtered and sanitized to remove any potentially dangerous code or render it harmless. A failure to properly sanitize input creates a cross-site scripting vulnerability.

In this case, the vulnerability exists because of a flaw in a single function used by bbPress. When a user is mentioned in a bbPress post, the application will try to create a link to the user’s user page. The application searches through the text of a post, locates potential users, and creates a link. However, if the user mention is already included within a link’s href tag, the function fails to properly escape the URL, allowing for the insertion of arbitrary code.

An attacker can leverage this vulnerability to have their own code executed within a user’s browser.

Cross-site scripting vulnerabilities are among the most common types of vulnerability in web applications, both because it’s so difficult to account for and sanitize every possible way a user might try to inject code with their input, and because attackers gain a substantial advantage if they discover a XSS vulnerability.

We encourage users of WordPress and other content management systems and web applications to update their sites as soon after a new version is released as possible. Updates often include security fixes. If users don’t diligently update, it’s a near certainty that their site contains an exploitable vulnerability.

Matthew Davis is a technical writer and Linux geek for Future Hosting.

Dedicated Server Special

Take advantage of our Double RAM offer on the E3-1230v2 4 x 3.30GHz+HT server! Only $134.95 per month. Managed and Unmanaged options available at checkout.