As a WordPress site owner, it is pivotal to be acutely aware of potential vulnerabilities that may pose a threat to your website. Recently, cybersecurity firm Sucuri uncovered a significant vulnerability within the widely popular WordPress platform that could put millions of websites at risk.
The risk-causing vulnerability originates from a package known as ‘genericons’. Any WordPress plugin or theme leveraging this package may now be susceptible to a DOM-based Cross-Site Scripting (XSS) vulnerability. The reason being, an insecure file included within the ‘genericons’ package is responsible for this vulnerability.
Worth noting is that among the plugins and themes at risk include the JetPack plugin, known to have a staggering user base of over 1 million active installs, alongside the TwentyFifteen theme which comes installed by default on many WordPress versions.
Sucuri further elaborated on the nature of the DOM-based XSS vulnerability stating,
“A DOM-Based XSS is an advanced form of XSS attack in which the attack payload is executed as a result of modifying the Document Object Model (DOM) ‘environment’ in the victim’s browser, rendered by the client-side script. In essence, the HTTP response page remains unchanged, but the client-side code executes differently due to malicious modifications made within the DOM environment.”
Just last year, a somewhat similar occurrence plagued millions of Drupal websites. Hackers exploited a bug, effectively taking control of numerous sites. The WordPress vulnerability signals the inception of a potentially greater crisis.
In light of this discovery, WordPress has warned several hosting companies, like GoDaddy and Dreamhost, aptly taking steps to safeguard WordPress-hosted websites. If you haven’t received any communication from your hosting provider regarding protective measures, we recommend you make contact to verify your site’s safety.
As per a 2014 report, over 70 million websites depended solely on WordPress, with the figure likely to have risen significantly, given the rate at which new websites are being launched globally.
Hence, securing your WordPress sites from potential exploits should certainly take precedence. Despite unanticipated vulnerabilities being part and parcel of digital technology, constant vigilance, attention to updates, and good cybersecurity practices can go a long way in protecting your website.
[This article was updated in 2025 to reflect the current cyber threats associated with WordPress.]
Paul Balo is the founder of TechBooky and a highly skilled wireless communications professional with a strong background in cloud computing, offering extensive experience in designing, implementing, and managing wireless communication systems.
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.
