More Bad News for WordPress
The Register reports that a researcher for the security firm Sucuri has uncovered a cross-site scripting (XSS) attack that targets WordPress websites. The news comes on the heels of recent announcements regarding security issues for WordPress and other CMS systems. The attack targets the WordPress Twenty Fifteen theme (which is part of the default configuration), as well as the Jetpack plugin.
According to the report, the attack modifies the example.html file that comes with the Genericons package. Because the cross-site scripting occurs with the example file present on the client system, the entire attack takes place on the client – without leaving a footprint in the network history.
Users are advised to remove the Genericons package/example.html file or update to version 4.2.2, which should fix this vulnerability.