WordPress site owners who use the Akismet comment spam filtering plugin should update to version 3.1.5 of the plugin as soon as possible. Older versions of the plugin are vulnerable to a cross-site scripting attack that could put WordPress sites and users at risk of compromise. Sites with automatic updates activated should already be running the patched version, but it is probably worthwhile to check that your site is running the most recent version.
Site owners who rely on manual upgrades should immediately install the update for Akismet that is available in their site’s WordPress dashboard.
Akismet is installed on WordPress sites by default, making it by far the most popular spam-fighting plugin available for WordPress, although just having the plugin installed doesn’t put your site at risk. The proof-of-concept provided by Sucuri — the attack’s discoverer — requires that Akismet is activated and that the “Convert emoticons…” setting is enabled.
Disabling the “Convert emoticons…” setting will prevent the attack working as described by Sucuri, but the company recommends that Akismet users update anyway, because there are probably other paths to achieve the same outcome.
Cross-site scripting attacks hinge on a security feature built into browsers called the same-origin policy. The same-origin policy prevents site A from accessing information from site B, but it allows any content from pages on site A to access information from site A — including authentication cookies and other sensitive data. Content from the same origin is trusted. If a cross-site scripting vulnerability allows an attacker’s code to run in a user’s browser, that code has the same permissions as legitimate content from the site — if the user has admin privileges, that can include sensitive information.
Although it might seem simple, sanitizing user input is fraught with complexity, which is why cross-site scripting attacks are the most commonly reported vulnerability on the web.
If you’re interested in the full details of the attack, take a look Sucuri’s blog post.