A security researcher Paulos Yibelo discovered an interesting, albeit incomplete, technique for circumventing CSP (Content Security Policy) controls using WordPress which is marked as a critical vulnerability.
The hack, discovered by security researcher Paulos Yibelo, is based on exploiting the same-origin method execution and went public with the findings through a technical blog post.
To call a function, this technique employs JSON padding. That’s the kind of thing that could compromise a WordPress account, but only with the addition of a cross-site scripting (XSS) exploit, which the researcher doesn’t have yet.
Content Security Policy is a technology that websites use to block external resources and prevent XSS attacks.
Attacks are potentially possible in two scenarios:
- Websites that do not use WordPress directly but have a WordPress endpoint on the same domain or subdomain
- A WordPress-hosted website with a CSP header.
ZOFixer.com security scan helps to find this vulnerability in your software and server, you can easily use it by registering on our website and activating the 30-day trial.