WordPress has rushed out a patch today after news emerged of a critical cross-site scripting (XSS) flaw, found in the default installation of its widely used content managing system, was affecting millions of websites. The flaw, disclosed by Finland-based security research firm Klikki Oy, makes it possible for an attacker to gain complete control of the administration area and even the web server that WordPress is running on though the comments system.
Once a website is compromised, attackers are free to hijack users' passwords and perform pretty much any action that requires administrator privileges.
Although this could potentially affect millions of websites there are a couple of limiting factors. First, unless commenting privileges are deliberately left open, the malicious comment would need to be approved by an administrator first in order to be executed. While it's unlikely that random gibberish would be approved, attackers can work around this by getting a normal comment approved first, and subsequent comments would be approved by default.
The second thing to keep in mind is that sites that use the Akismet plug-in are not affected, which is the "vast majority of WordPress-powered sites" according to Automattic CEO Matt Mullenweg, who downplayed the risk. He also claims WordPress had no prior warning about the XSS flaw, something Klikki Oy refutes saying many attempts were made since November.
In any case, administrators are advised to upgrade to WordPress version 4.2.1 to avoid any potential damage. The update comes just one week after WordPress released version 4.2, which fixed a similar XSS flaw.