October 19, 2017, WordPress official released a security notice that in the 4.8.1 version found a storage-based XSS vulnerability.
Through the vulnerability, the attacker can be affected in the affected site to write a malicious code containing the code Message. When the message page is opened, where the malicious code will be implemented, resulting in the site permissions, plugins, etc. are changed, or even be completely controlled, the security risk for high risk.
At present, WordPress is a relatively large installed capacity of the CMS system, the proposed owners are concerned about, and as soon as possible to carry out self-examination work, updated to the latest version of WordPress.
Exploit conditions and methods:
- Remote use
- PoC state
- Currently, PoC is open
- Affected version of WordPress 4.8.1
- Unaffected version of WordPress 4.8.2
The latest version of 4.8.2 has been released. It is recommended that users log on to the panel click “update upgrade” to fix the vulnerability.