WordPress was issued a critical security Patch to users, after millions of websites were at risk of a bug that allows attackers to take control of a system.If your WordPress site allows users to post comments via the WordPress commenting system, you’re at risk. An attacker could leverage a bug in the way comments are stored in the site’s database to insert malicious scripts on your site.
Thus potentially allowing them to infect your visitors with malware, inject SEO spam or even insert backdoor in the site’s code if the code runs when in a logged-in administrator browser.
You should definitely disable comments on your site until a patch is made available or leverage a WAF to protect your site and customers.
Securi published the technical details, you can see from the above schema, the comments texts are stored in the comment_content column which is a TEXT column, meaning a comment can only contain a maximum of 65535 bytes of data.
To prevent getting hacked before there’s an official patch being released:
- You can disable comments on your site.
- leverage a Web Application Firewall to filter good requests from exploit attempts.
WordPress was released the patch and it is available by the WordPress Core Team in version 4.2.1, I would suggest you to update immediately.
