During a routine audit Sucuri discovered a critical stored XSS vulnerability affecting Akismet, a popular WordPress plugin deployed by millions of installs. This vulnerability affects everyone using Akismet version 3.1.4 and lower with the WordPress “Convert emoticons like and ? to graphics on display“ option enabled, which is the case by default on any new WordPress installation.
The issue can be found in the way Akismet deals with hyperlinks present inside the site’s comments, which could allow an unauthenticated attacker with good knowledge of WordPress internals to insert malicious scripts in the Comment section of the administration panel. An attack like this could lead to multiple exploitation scenarios, including a full site compromise.