Hackers Could Take Over WordPress Blogs with a Single Comment

​If you have a WordPress blog, be wary of extremely long comments—it could be a hacker trying to take over your site.

Thanks to a bug in WordPress, the content management platform that powers more than 20 percent of the entire web, an attacker can hijack a site powered by WordPress with a simple, but extremely long, comment. The bug was disclosed by Jouko Pynnönen, a researcher at Finnish security company Kli​kki Oy, on Sunday.

To take advantage of this bug, a hacker has to post an extremely long comment—more than 64 kilobytes or roughly 65,000 characters— that contains malicious JavaScript code into a WordPress blog that uses the platform's default comment system. If the comment is long enough, it will be truncated and will result in malformed HTML on the page and lead to code execution.

When the administrator of the blog sees the comment, the script gets triggered, and the attacker can basically take over the site.

"The attacker could change the administrator's password, create new administrator accounts, or do whatever else the currently logged-in administrator can do on the target system," Pynnönen wrote in a blog p​ost detailing the bug on Sunday.

This vulnerability is known as a cross​-site scripting (XSS) bug and it affects the latest version (4.2) of WordPress, as well as a few older ones (4.1.2, 4.1.1, 3.9.3). It's yet to be patched, which makes it a zero​ day vulnerability.

Pynnönen made a video to show how the bug works and released a proof of concept script to test the vulnerability.​

This bug is similar to another XSS bug disc​overed by researcher Cedric Van Bockhaven in 2014. After that bug was disclosed last week,  it took him "just a moment to find and confirm," Pynnönen said in an email, and that other people have probably found it too and and might be using it for malicious purposes.

Matt Mullenweg, the founding developer of WordPress, told Motherboard in a statement that WordPress developers are working on a fix that should released in the "coming hours" with an auto update. Mullenweg admitted that this is a dangerous bug, but said its impact might be limited.

"It is a core issue," he said, "but the number of sites vulnerable is much smaller than you may think because the vast majority of WordPress-powered sites run [WordPress plugin] Akismet, which blocks this attack."

Mullenweg did not answer to a follow-up question on how many sites might be vulnerable to the bug, but also said that the WordPress team had been made aware of the bug only "a few hours ago."

Pynnönen wrote in his blog post that "WordPress has refused all communication attempts about our ongoing security vulnerability cases since November 2014." (WordPress did not immediately answer to a request for comment regarding this claim.)

Given that, and considering that the bug found by Van Bockhaven in 2014, was only patched last week—14 months after the discovery—"the best alternative" was to publish the bug directly, rather than waiting months or years for a patch, Pynnönen said.

"All this time, WordPress servers with the default comment settings have been relatively easily hackable," he told Motherboard.

If you have a WordPress blog that doesn't run Akismet, while you wait for the patch, you should disable comments, Pynnönen suggested in his blog.

UPDATE, 04/27/2015, 2:56 p.m. ET: Wordpress ​released a patch that fixes this vulnerability on Monday afternoon.

"This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately," WordPress wrote in a ​blog post.

For users with automatic updates, the patch should roll out automatically. But if you don't have automatic updates, you should download it manually or update through your site's WordPress dashboard.