WordPress MU < 2.7 Cross Site Scripting Vulnerability

Posted by DK
March 19, 2009

Cross Site Scripting Vulnerability

Juan Galiana Lara has released details regarding a vulnerability that affects WordPress MU versions < 2.7.

Version 2.7 is NOT affected according to the advisory. So if you have upgraded to 2.7 you can ignore this advisory.

Vulnerability Details

WordPress MU prior to version 2.7 fails to sanitize the Host header correctly in choose_primary_blog function and is therefore prune to XSS attacks.

Web Sites running in a name based virtual hosting setup are not affected while they are not the default virtual host.

More information

More information regarding this vulnerability is available here:
http://www.milw0rm.com/exploits/8196

Fix information

The latest version of WordPress MU is available here.

Thanks to Juan for informing us of this issue.

Advisories, WordPress

Random Posts

If you enjoyed this post, please leave a comment or subscribe to the feed and get future articles delivered to your feed reader.

Comments
Pingback by   Vulnerabilidad en WordPress MU inferior a 2.7 | samuelaguilera.com on March 26, 2009 @ 1:10 am

[...] en:  WordPress MU < 2.7 Cross Site Scripting Vulnerability 26 de Marzo de 2009 Etiquetas: Canal RSS para los comentarios de esta entrada Deja un [...]

Pingback by WordPress News: WordPress 2.8, Summer of Code, PodPress Returning, iPhone Update | The Blog Herald on March 27, 2009 @ 7:52 pm

[...] Vulnerability: BlogSecurity reports on a WordPressMU cross iste scripting vulnerability impacting WordPressMU versions prior to 2.7. If you [...]

Leave a comment

(required)

(required)