WordPress is a free and open source content management. The application is built around PHP and MySQL. The main feature of WordPress includes a template system and plugin architecture. The primary users of WordPress include blogging, basic mailing list, forums, online store and many more. More than 60 million websites are using WordPress. WordPress is also used in other fields like PDS(Pervasive Display System).
WordPress themes are used to make design changes to the web application. The theme might also include design layouts too. The themes are available in https://wordpress.com/themes. The WordPress theme can make the following changes like changing layouts, how content should be displayed, device-specific designs, customise CSS contents and many more. Good themes will improve the look and feel of the site. The themes make changes to index.html and style.css files. The additional files include PHP files, Graphics, Javascript and many more. The main difference between a WordPress theme and WordPress plugin is that themes control the presentation, while the plugin controls the behaviour and features of WordPress.
An attacker can exploit a WordPress site that uses a vulnerable theme. A vulnerable theme might make the application vulnerable to attacks like XSS, SQL injection and many more. There are themes like BBE theme, swape theme and many more. These themes are vulnerable to stored XSS and many more attacks. The common method is:-
- Email Spoofing
- Privilege Escalation
- Information Disclosure
- Refraction Theme Multiple Vulnerabilities
- VideoJS plugins Cross-site Scripting (XSS)
- Reflected Cross-Site Scripting
- arbitrary file upload and download
Mitigation / Precaution
Beagle recommends the following fixes:-
- Update the themes to the latest version. Updating the theme might fix all the bugs in the previous versions of WordPress.
- If updating the theme is a no-go for the application, install the patch released by developers of the theme to fix the vulnerability.
