Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

WordPress < 2.6.5 'feed.php' XSS

Medium

Synopsis

The remote web server contains a PHP application that is affected by a cross-site scripting vulnerability.

Description

The version of WordPress installed on the remote host fails to completely sanitize input to the the 'Host' request header before using it in the 'self_link()' function in 'wp-includes/feed.php' to generate dynamic HTML output. An attacker may be able to leverage this to inject arbitrary HTML and script code into a user's browser to be executed within the security context of the affected site.

Solution

Upgrade to WordPress 2.6.5, or later.