WordPress < 2.6.5 'feed.php' XSS
Medium Nessus Network Monitor Plugin ID 4775
SynopsisThe remote web server contains a PHP application that is affected by a cross-site scripting vulnerability.
DescriptionThe version of WordPress installed on the remote host fails to completely sanitize input to the the 'Host' request header before using it in the 'self_link()' function in 'wp-includes/feed.php' to generate dynamic HTML output. An attacker may be able to leverage this to inject arbitrary HTML and script code into a user's browser to be executed within the security context of the affected site.
SolutionUpgrade to WordPress 2.6.5, or later.