[wp-hackers] Reputed XSS issue with WordPress (templates.php)

Ryan Boren ryan at boren.nu
Tue Feb 13 18:32:19 GMT 2007


On 2/13/07, Bas Bosman <wordpress at nazgul.nu> wrote:
> >> Any managing action which allows custom JavaScript to be directly
> >> executed
> >> from a request is a XSS vulnerability and should be fixed.
> >
> > I didn't get XSS with the sample exploit link.  Once I clicked through
> > the AYS though,  I got another AYS and XSS.  We just need to
> > specialchars the output of wp_explain_nonce().
>
> That's indeed the best fix for this issue, but I hope my other mail
> proofed that this can be used for XSS. (That the original exploit code
> didn't do much doesn't mean it can't be adapted)

Yes. I had to play with it but managed to trigger XSS.  I put a fix in
for 2.0, 2.1, and trunk for everyones review and testing.

Ryan


More information about the wp-hackers mailing list