News has emerged of a new vulnerability in a popular, default WordPress plugin that could allow an attacker to hijack websites built using the platform.
Discovered by a researcher at consultancy Sucuri, the flaw is a cross-site scripting (XSS) vulnerability in the Twenty Fifteen plugin, which is installed on all WordPress sites. Another widely-used plugin, JetPack, is also vulnerable. Luckily, the vulnerability can be fixed by removing an html file from their sites, as detailed in the article here.
We’ve warned before about security vulnerabilities and flaws in popular platforms that create opportunities for attackers: it’s thanks to the diligence of security researchers that these flaws are discovered and closed before real damage can be inflicted. Assuming that we’re safe and protected against attacks is always a dangerous game.