The Iran Cyber Security Group continue to show their expertise by discovering a full path disclosure vulnerability in a WordPress theme and then exploiting it by defacing websites including a USA Government website in Princeton, Texas.
The vulnerability was found in: WordPress Twentyfourteen Theme (Default Theme) Full Path Disclosure
Full Path Disclosure -FPD- allows attackers to see the full operating path of a vulnerable script e.g.: /home/omg/htdocs/file/ The FPD bug is executed by injecting unexpected characters into certain parameters of a web-page. The script doesn’t expect the injected character and returns an error message that includes information of the error, as well as the operating path of the targeted script.
One of the demonstration sites to prove the vulnerability exists is at http://www.princetontx.gov/wp-content/themes/twentyfourteen/index.php and the related defacement of the Princeton, Texas Government website -http://www.princetontx.gov/icg.php- can be seen here: http://zone-h.org/mirror/id/27235711
The defacement shows that it was also made by C10N3R Se7eN