Free AntiVirus!
WordPress Template.php HTML Injection Vulnerability
Filed in: Security, WordPress — January 3rd, 2007A cross-site scripting (XSS) vulnerability has been found in wp-admin/templates.php in WordPress. WordPress 2.0.5 and previous versions are affected. The National Vulnerability Database has marked the severity as 7.0 (High).
WordPress has fixed this for v2.0.6 and a patch has been released for v2.0.5.
The possible damage
Attacker-supplied HTML and script code would execute in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user; other attacks are also possible. — SecurityFocus.com
Read also:
[Thanks, JohnTP]
Comments Feed
TrackBack URL
January 4th, 2007 at 7:15 am
[...] According to LiewCF, The National Vulnerability Database has reported this as severity 7.0 (high). [...]
January 4th, 2007 at 4:14 pm
[...] אתמול אלעד הפנה אותי לפוסט בנדון. [...]
January 5th, 2007 at 4:12 pm
liew, how do i install this security patch?
thanks in advanced.
January 8th, 2007 at 11:18 am
@malique: you can download the patched file at http://trac.wordpress.org/changeset/4665 and replace your existing file on the server. Please make sure you have a backup first.
January 8th, 2007 at 6:03 pm
WordPress 2.0.6 has been released which includes this fix.
January 14th, 2007 at 3:15 am
[...] corrección de un importante fallo de seguridad (descrito en el el blog LiewCF*), y descubierto por David Kierznowski*, que hace más que aconsejable la actualización. [...]