WordPress.com (2.3.2) is vulnerable to two Cross-Site Scripting vulnerabilities. It is important to note that these only affect WordPress.com blogs.
Proof of concept exploits have been released and there is a danger that an XSS Worm could use this type of vulnerability to compromise thousands of WordPress.com blogs. (See developer verse hosted blogs debate.).
Doz from hackerscenter.com released the advisory. The full disclosure advisory is available and a Video demonstration was also released.
Note (again):These vulnerabilities only affect the Hosting Platform WordPress.com as the download package of WordPress doesn’t include invite.php or users.php file.
Comments
That’s weird. I would have thought WP.com would run the latest code…
What about wordpressMU? It doesn;t contain the invite.php file, but it 8does* contain users.php.
http://trac.mu.wordpress.org/browser/trunk/wp-admin/users.php
Thanks for blogging this. The original blogger never contacted us with that exploit, but it’s fixed now.
Donncha, glad we could help my man.
[…] VanFossen is also jazzed about WordPress 2.5 coming to WordPress.com, details a security vulnerability for WordPress.com blogs was fixed in less than 10 minutes after initial report, Matt Mullenweg’s report that more […]
[…] VanFossen is also jazzed about WordPress 2.5 coming to WordPress.com, details a security vulnerability for WordPress.com blogs was fixed in less than 10 minutes after initial report, Matt Mullenweg’s report that more […]
-
Search site:
-
Additional WP Resources
