WordPress - "year" Cross-Site Scripting Vulnerability

Saturday, 17 March 2007

ChX Security |
Advisory #1 |

-> "WordPress XSS under function wp_title()" <-

Data |
Author: g30rg3_x <g30rg3x_at_gmail_dot_com>
Program: WordPress <>
Severity: Less Critical.
Type of Advisory: Mid Disclosure.
Affected/Tested Versions:
-> Series 2.0.x: <= 2.0.10-alpha
-> Series 2.1.x: <= 2.1.3-alpha
-> Series SVN latest: <= 2.2-bleeding (Revision 5002)

Program Description |
WordPress is a state-of-the-art semantic personal publishing platform
with a focus on aesthetics, web standards, and usability.
What a mouthful. WordPress is both free and priceless at the same time.
More simply, WordPress is what you use when you want to work with your
blogging software, not fight it.

Overview |
The query variable "year" inside the function "wp_title", its not sanitized
so it allows a non persistent cross site scripting attack.

WorkAround |
$title takes the value in raw (without any type of filter) of $year which is an
a query variable, that can be filled with any web browser via a simply GET parameter.

Proof Of Concept|
ChX Security will not release any proof of concept.

The lastest SVN Revision (greater than revision 5002) has alredy fixed this bug...

For series 2.1.x and 2.0.x, the vendor will fix this in the next set of dot releases.

Dates |
Bug Found: 2/03/2007
Vendor Contact: 3/03/2007
Vendor Response: 7/03/2007
Public Disclosure: 9/03/2007
Shouts |
Paisterist, NitRic, HaCkZaTaN, PescaoDeth, alex_hk23 and all mexican white hats.
White Hat Powa.

ChX Security
(c) 2007

Original Advisory:

Share this content:
Home | News | Articles | Advisories | Submit | Alerts | Links | What is XSS | About | Contact | Some Rights Reserved.