[wp-hackers] Forum Help
Matthew Mullenweg
m at mullenweg.com
Sun May 15 16:45:04 GMT 2005
Matthew Thomas wrote:
> A security vulnerability has been identified in WordPress that could
> allow an attacker to delete posts, pages, or comments on your Weblog, by
> getting you to click on a link. The attacker could (for example) include
> this link in a comment on your Weblog or someone else's, or send it to
> you in an HTML e-mail message.
I know it takes the wind out of your "advisory" but these are all
primitive forms of XSS that WP already protects against. In addition a
API hook was added prior to the release of 1.5.1 in order to make
plugins that block the GWA extra easy:
http://trac.wordpress.org/changeset/2595
I wanted people to test HTTP_X_MOZ=PREFETCH blocking in plugins and work
out any issues there before rolling it in.
--
Matt Mullenweg
http://photomatt.net | http://wordpress.org
http://pingomatic.com | http://cnet.com
More information about the wp-hackers
mailing list