Security Affairs
Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Million WordPress websites vulnerable to DOM-based XSS

Every WordPress Plugin or theme that used the genericons package is potentially vulnerable to a DOM-based XSS vulnerability. Experts at the Sucuri firm have discovered that any WordPress Plugin or theme that leverages the genericons package is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability due to an insecure file included with genericons. The experts explained that among […]

ShapedPlugin plugin

Every WordPress Plugin or theme that used the genericons package is potentially vulnerable to a DOM-based XSS vulnerability.

Experts at the Sucuri firm have discovered that any WordPress Plugin or theme that leverages the genericons package is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability due to an insecure file included with genericons.

The experts explained that among the vulnerable plugins there is the JetPack plugin, which have more than 1 million active installation, and the TwentyFifteen theme that comes by default.

Due to the large number of affected websites, Sucuri has reported the flaw to the hosting providers.

DOM-based XSS jetpack-for-wordpress

Any plugin that makes use of the genericons package is potentially vulnerable if it includes the example.html file that is normally included with the flawed package.

“We cannot forget one of the basic principles of security, in which we must maintain a pristine environment in production. This means we remove debug or test files before you move into production. In this case, Automattic and the WordPress team left a simple example.html file that had the vulnerability embedded,” states Sucuri.

The researchers explained that in order to exploit the DOM-based XSS vulnerability, bad actors need to trick the victim into clicking on an exploit link. Unfortunately, threat actors are already exploiting the DOM-based XSS vulnerability worldwide.

“What is interesting about this attack is that we detected it in the wild days before disclosure. We got a report about it and some of our clients were also getting reports saying they were vulnerable and pointing to:

http:// site.com/wp-content/themes/twentyfifteen/genericons/example.html#1<img/ src=1 onerror= alert(1)>

In this proof of concept, the XSS printed a javascript alert, but could be used to execute javascript in your browser and take over the site if you are logged in as admin.” states a blog post published by Sucuri.

The good news is that it is quite easy to fix the DOM-based XSS vulnerability, it is enough to remove the “example.html” or block access any access to the file.

Pierluigi Paganini

(Security Affairs –  WordPress, DOM-based XSS vulnerability)