In association with heise online

26 November 2008, 15:24

WordPress update fixes vulnerabiliy

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

In WordPress version 2.6.5, the developers of the open source blog-publishing tool fixed a cross site scripting (XSS) vulnerability as wells as three bugs not related to security. However, the XSS hole can only be exploited on IP-address-based virtual servers running Apache 2.x. Since installations at web hosts are usually name-based, it is not likely that many users will be affected.

The XSS hole is contained in wp-includes/feed.php. When RSS feeds are generated, JavaScript can be injected and executed in the victim’s browser under certain circumstances. The Wordpress developers skipped version number 2.6.4 in order to avoid mix-ups involving a fraudulent version 2.6.4 put into circulation by scammers.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit