[wp-hackers] Forum Help

Matthew Mullenweg m at mullenweg.com
Sun May 15 16:45:04 GMT 2005


Matthew Thomas wrote:
> A security vulnerability has been identified in WordPress that could 
> allow an attacker to delete posts, pages, or comments on your Weblog, by 
> getting you to click on a link. The attacker could (for example) include 
> this link in a comment on your Weblog or someone else's, or send it to 
> you in an HTML e-mail message.

I know it takes the wind out of your "advisory" but these are all 
primitive forms of XSS that WP already protects against. In addition a 
API hook was added prior to the release of 1.5.1 in order to make 
plugins that block the GWA extra easy:

http://trac.wordpress.org/changeset/2595

I wanted people to test HTTP_X_MOZ=PREFETCH blocking in plugins and work 
out any issues there before rolling it in.

-- 
Matt Mullenweg
  http://photomatt.net | http://wordpress.org
http://pingomatic.com | http://cnet.com


More information about the wp-hackers mailing list