An important heads-up to all WordPress fans—that’s pretty much the whole blogosphere*, isn’t it? There’s been a recently-discovered security flaw with the blog software’s templates.php file. It’s called XSS, i.e. cross-site scripting, a vulnerability that permits malicious code injection into web pages.
David Kierznowski explains what part of the WP file is causing this:
When editing files a shortcut is created titled “recently accessed files”. The anchor tag text is correctly escaped with
wp_specialchars();
however, the link title is not sanitised. Instead, it is passed toget_file_description($file)
. The only restriction or limitation here is that our text is passed through basename. This means standard script tags will fail when ending with “˜/”. We can get around this by using “open” IMG tags; this works under FF and IE.
In pseudo-English, that would mean:
WordPress is prone to a HTML-injection scripting vulnerability because the application fails to properly sanitize user-supplied input.
Attacker-supplied HTML and script code would execute in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user; other attacks are also possible.
TechBuzz lists all WordPress versions that are in danger of this exploit, but the short story is unless you’re using 2.0.6 you’re not safe. And as far as I know that one hasn’t been released officially yet. It’s advised you patch the culprit file in the meantime. (Make sure to back those files up first!) WP 2.0.6 has just been released yesterday. You might want to upgrade instead of patching.
* It’s so popular, in fact, that sneaky people are making money off of hinting at how you can use it to make your money. They obviously haven’t head of WP’s support community.
Update: It’s templates.php, with an s. oKs this!