Oct 31 2007

WordPress Cross-Site Scripting

Published by under Security,Wordpress

Well, it’s time to update your WordPress installation to the latest release (2.3.1) if you haven’t done so yet. Janek Vind has posted a less critical cross-site scripting vulnerability that applies to version <2.3.0.

Input passed to the ”posts_columns” parameter in wp-admin/edit-post-rows.php is not properly sanitised before being returned to the user. So this can be exploited to execute arbitrary HTML and script code in a user’s browser session in context.

Janek Vind’s original advisory can be found here and the latest version of WordPress can be found here.

If you want to speed up the upgrade of WordPress I also suggest that you take a look at WordPress Automatic Upgrade that takes care of the upgrade for you. WordPress Automatic Upgrade allows a user to automatically upgrade the wordpress installation to the latest one provided by wordpress.org using the 5 steps provided in the wordpress upgrade instructions.

Kim Haverblad

No comments

Trackback URI | Kommentars RSS

Leave comment