XSS vulnerabilities in WordPress themes
Numerous themes in the WordPress blogging system are vulnerable to an XSS exploit. Attackers could use this to trick blog users and readers into revealing sensitive data. According to a posting on the security mailing list Bugtraq, the problem affects all versions of WordPress including the latest version 2.1.3; however, it only occurs when using certain themes, including the standard theme, but is also found in other popular themes such as k2, classic, and hiperminimalist, which are derived from the standard theme.
The problem is usually caused by custom 404 error pages used by the theme, which embed unfiltered user input from the URL into their output. One possible scenario is that hackers could send manipulated links via e-mail. When the user clicks on the link, the blog would display false information in the name of the vulnerable blog. This could give hackers access to log-in cookies or passwords.
Bloggers can determine whether a blog is vulnerable by accessing http://<blog-URL>/index.php/index.php/"><script>alert()</script> . If an alert window opens, the theme is defective. There are no official updates for the themes yet, only a temporary workaround.
Open the files searchform.php and sidebar.php and search for the phrase
action="<?php echo $_SERVER['PHP_SELF'];? >"
and replace it with
action="<?php echo htmlspecialchars($_SERVER['PHP_SELF']);? >"
The files are located in your theme directory, which is normally wp-content/themes/<theme-name>/.
The changes make the output pass through the filter function htmlspecialchars(), preventing attackers from utilizing the exploit.
For more information on this topic, see also:
- WordPress All versions XSS, Posting on Bugtraq