WordPress Default Theme XSS

Philipp Heinze of PhSoftware informed BlogSecurity of a flaw that has been found in the WordPress default theme that ships with WordPress <=2.2; John Smith is credited for the discovery.

The Vulnerable Code

Filename functions.php, line 387:

<form style="display: inline" method="post" name="hicolor"
id="hicolor" action="<?php echo $_SERVER['REQUEST_URI']; ?>">

Temporary Fix

As always, please make a backup before trying any fix.

Find line 387 (seen above), and change it to this:

<form style="display: inline" method="post" name="hicolor"
id="hicolor" action="<?php echo htmlspecialchars($_SERVER['REQUEST_URI']); ?>">

This problem can be exploited if the adminstrator is logged in.

Proof of concept test

http://www.example.com/wp-admin/themes.php?page=functions.php&zmx”><script>alert(1)</script>

Random Posts

• DNS dot DDoS Attack targetting the Internet
• WordPress Username Enumeration
• WordPress Blog gets hacked
• Wordpress 2.3: edit-post-rows XSS Vulnerability
• Stopping WordPress Spam

If you enjoyed this post, please leave a comment or subscribe to the feed and get future articles delivered to your feed reader.

Copyright 2007. BlogSecurity. All rights reserved

• Home
• About
• Advertise
• BlogSec News
• Contact Us
• WPSCAN