WordPress XSS vulnerability in templates.php

WordPress XSS vulnerability in templates.php


An important heads-up to all WordPress fans—that’s pretty much the whole blogosphere*, isn’t it? There’s been a recently-discovered security flaw with the blog software’s templates.php file. It’s called XSS, i.e. cross-site scripting, a vulnerability that permits malicious code injection into web pages.

David Kierznowski explains what part of the WP file is causing this:

When editing files a shortcut is created titled “recently accessed files”. The anchor tag text is correctly escaped with wp_specialchars(); however, the link title is not sanitised. Instead, it is passed to get_file_description($file). The only restriction or limitation here is that our text is passed through basename. This means standard script tags will fail when ending with “˜/”. We can get around this by using “open” IMG tags; this works under FF and IE.

In pseudo-English, that would mean:

WordPress is prone to a HTML-injection scripting vulnerability because the application fails to properly sanitize user-supplied input.

Attacker-supplied HTML and script code would execute in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user; other attacks are also possible.

TechBuzz lists all WordPress versions that are in danger of this exploit, but the short story is unless you’re using 2.0.6 you’re not safe. And as far as I know that one hasn’t been released officially yet. It’s advised you patch the culprit file in the meantime. (Make sure to back those files up first!) WP 2.0.6 has just been released yesterday. You might want to upgrade instead of patching.

* It’s so popular, in fact, that sneaky people are making money off of hinting at how you can use it to make your money. They obviously haven’t head of WP’s support community.

Update: It’s templates.php, with an s. oKs this!

6 replies

  1. oh my. :( thanks for the heads-up. and about those ‘sneaky people’..well, unfortunately a lot of those exist, and a lot more lazy ‘webmasters’ are there to purchase these ‘products’. content is king, and it’s a shame for it to be stolen. content summaries is still stealing.

    Reply to this

  2. 2.0.6 was released yesterday (MNL time) and I already upgraded my blog. I opted to upgrade instead of patching the file since there’s a feature that enabled better Safari-handling of Quicktags. :)

    Reply to this

  3. Yes, I got the heads-up from Phillip and Mark of WeblogToolsCollection; I just haven’t updated this post yet. ;)

    I believe the WP version on this site is 2.0.4 pa lang because I’m scared of breaking anything. But yeah, I’ll upgrade in a bit!

    Reply to this

  4. Pingback: The Armorer’s CodeX » Top News for the start of 2007


Your email address will not be published. Required fields are marked *


Anything in between < and > will be treated as HTML.