26 November 2008, 15:24
WordPress update fixes vulnerabiliy
In WordPress version 2.6.5, the developers of the open source blog-publishing tool fixed a cross site scripting (XSS) vulnerability as wells as three bugs not related to security. However, the XSS hole can only be exploited on IP-address-based virtual servers running Apache 2.x. Since installations at web hosts are usually name-based, it is not likely that many users will be affected.
The XSS hole is contained in wp-includes/feed.php. When RSS feeds are generated, JavaScript can be injected and executed in the victim’s browser under certain circumstances. The Wordpress developers skipped version number 2.6.4 in order to avoid mix-ups involving a fraudulent version 2.6.4 put into circulation by scammers.
See also:
- WordPress 2.6.5, Description of the update
- WordPress XSS vulnerability in RSS Feed Generator, Description of the vunerability from Jeremias Reith
(trk)
Print Version | Send by email
| Permalink: http://h-online.com/-739009
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
