How this happens? The comments are stored in the table “wp_comments”, precisily in the column “comment_content”, with type “text”, that has a maximum size of 65535 bytes (or 64 kilobytes), and when this limit is reached the database mysql truncates and inserts the information, resulting in malformed HTML generated on the page, permiting that the code has been stored without any filter. And the script is activated when someone open the comments. This is specially dangerous if the administrator of the site is logged in his administrative account, because this permits change of password, and so on.
An example of entry that explores this issue:
“<a href=’x onclick=alert(1) AAAAAAAAAAAAAA..(more than 65 kilobytes)’>test</a>”
This vulnerability affects the following versions: 4.2, 4.1.2, 4.1.1, 3.9.3, and was tested with MySQL versions 5.1.53 and 5.5.41.
The good news is that the Core Team of WordPress already released a security pack that fixes this issue in April 27th, for more on this click HERE . If you aren’t able to perform the update of version right now, you can disable the comments or use a WAF (Web Application Firewall) to filter what is posted in your articles.
By Ícaro Torres
BIO: Icaro Torres is a technologist of network computer and postgraduate in information security, that works in the HostDime Brazil with technical support and audit/security of the systems hosted in Datacenters of the company. He is contributing in the OWASP with translation projects and in the chapter in his city. He continuously studies about web application security, pentest and malware analysis.