A vulnerability has been discovered by Sucuri during one of their regular research audits. They have discovered a source-based stored Cross-Site Scripting (XSS) vulnerability that affects WordPress 4.8.1. The vulnerability requires an account on a WordPress site with the Contributor role, which is someone who can write and manage posts but can not publish them. Or alternatively, any account where the WordPress installation has the bbPress plugin, as long as it has posting capabilities. If any of these conditions are met, then not only can a victim’s user account be hijacked, but the entire WordPress installation and underlying server can be compromised. The XSS vector can make a call to an external script that performs a Cross-Site Request Forgery attack. With the attacker acting in the behalf of an administrator user, they can send authenticated requests to edit the website’s current PHP code, resulting in a complete takeover.
To patch this vulnerability, you need to update your WordPress installation as soon as possible. If you have automatic update setup on your WordPress installation, then you should already be protected and no further action is required. If you believe your WordPress site has been hacked, then either contact Sucuri or us immediately for professional advice.