You have to pay particular attention to this if you’ve got a WordPress site. This is according to report by Security firm Sucuri. The report noted that any WordPress Plugin or theme that leverages the genericons package is vulnerable to a DOM-based Cross-Site Scripting (XSS) vulnerability due to an insecure file included with genericons. So far, the JetPack plugin (reported to have over 1 million active installs) and the TwentyFifteen theme (installed by default) are found to be vulnerable.
It went further to explain the DOM-based XSS
“DOM-Based XSS is an XSS attack wherein the attack payload is executed as a result of modifying the Document Object Model (DOM) “environment” in the victim’s browser used by the original client side script, so that the client side code runs in an “unexpected” manner. That is, the page itself (the HTTP response that is) does not change, but the client side code contained in the page executes differently due to the malicious modifications that have occurred in the DOM environment.”
Late last year, millions of Drupal sites were affected by bug which hackers took advantage of to take control of sites.
The company has since warned hosting companies like GoDaddy and Dreamhost who have taken steps to protect WordPress sites hosted on their platforms. If you feel you haven’t been warned of this by your provider, please contact them now.
In a Feb. 2014 report, over 70 million sites depended on WordPress and that figure is expected to have risen considering the rate of launch of new websites per day across the world.