WordPress update fixes vulnerabiliy
In WordPress version 2.6.5, the developers of the open source blog-publishing tool fixed a cross site scripting (XSS) vulnerability as wells as three bugs not related to security. However, the XSS hole can only be exploited on IP-address-based virtual servers running Apache 2.x. Since installations at web hosts are usually name-based, it is not likely that many users will be affected.
The XSS hole is contained in wp-includes/feed.php. When RSS feeds are generated, JavaScript can be injected and executed in the victim’s browser under certain circumstances. The Wordpress developers skipped version number 2.6.4 in order to avoid mix-ups involving a fraudulent version 2.6.4 put into circulation by scammers.
See also:
- WordPress 2.6.5, Description of the update
- WordPress XSS vulnerability in RSS Feed Generator, Description of the vunerability from Jeremias Reith
(trk)