Critical vulnerability in the content management system WordPress

A critical vulnerability has been detected in the content management system WordPress. The vulnerability was detected by a Finnish information security company Klikki Oy. The vulnerability concerns all the WordPress 3 versions that have been published so far. By means of the vulnerability, the attacker can execute arbitrary commands by using the administrator's rights and thereby change the administrator's password, for example. The exploitation of the vulnerability does not require authentication, and the commentary feature enabling the exploitation is used as default in the basic installation of the WordPress software.

The vulnerability relates to the commentary function enabled by the Word Press installation, i.e. it is possible to comment web sites and messages. The attacker can hijack the target system by entering appropriately edited JavaScript code in the comment field.

The exploitation of the vulnerability requires that the comment entered in the web site is read by using the administrator's user IDs. Thereby, the program code in the comment is executed and, consequently, it is possible for the attacker to hijack the target system. The system administrator cannot notice the execution of the program code at all. Moderation of comments is a common method on the WordPress sites. This means that the comments are not published before the site administrator has accepted them.

The programming error enabling the vulnerability is located in the WordPress installation's file wp-includes/formatting.php. Due to the error, the software interprets the square brackets and corner marks entered in the comment field erroneously. When used in an appropriate way, this leads to the execution of the preferred text as HTML code.

Administrators must update the vulnerable WordPress installations to the patched versions as soon as possible.

The vulnerability was found by a Finnish information security company Klikki Oy.

  • Servers and server applications
  • Workstations and end-user applications
  • Network devices
  • Mobile communications systems
  • Embedded systems
  • Others


  • Servers and server applications
Further information +

Attack vector

  • No authentication required
  • Remote
  • No user interaction required
Further information on the access vector +


  • Execution of arbitrary commands
  • Expansion of access rights
  • Editing of information
  • Obtaining of confidential information
  • Denial-of-service attack
  • Security bypass
Further information on the impact +


  • Software update patch
  • Restriction of the problem
Further information on the remediation +

Vulnerable software:

WordPress 3.0–3.9.2

Possible solutions and restrictive measures:

The recommended solution is to update the vulnerable software in accordance with the vendor's instructions to the version 4.0.1

If automatic background updates WordPress are activated, the server updates the versions 3.9.2, 3.8.4 and 3.7.4 to the software versions 3.9.3, 3.8.5 and 3.7.5 in order to patch the vulnerability. However, the vendor recommends that the installations are updated to the version 4.0.1 because the older versions are not supported.

If it is not possible to update, the possibility to exploit can be limited by deactivating the possibility to add comments to the site.

Further information:

Update history

Key words: Information security , Vulnerabilities

LinkedIn Print


The Finnish Communications Regulatory Authority (FICORA)

The National Cyber Security Centre Finland (NCSC-FI)

Itämerenkatu 3 A

P.O. Box 313


Media contacts by telephone +358 295 390 248