XSS Flaw Fixed In Latest WordPress 2.6.5
WordPress has fixed a cross-site scripting (XSS) flaw in its blogging software. The flaw only affects IP-based virtual servers running on Apache 2.x. Version 2.6.5 also addresses three unrelated performance and stability bugs with the open source package.
The first prevents accidentally saving post meta information to a revision. The second prevents XML-RPC from fetching incorrect post types. The third adds some user ID sanitization during bulk delete requests. For a list of changed files, consult the full changeset between 2.6.3 and 2.6.5.
In those setups it might be possible for hackers to rig systems so that they serve up malicious Java Script from domains under their control.
WordPress has jumped from version 2.6.3 to 2.6.5 of the software in order to avoid confusion with 2.6.4, a fake version recently offered up by black hats via a bogus site WordpresZ. Webmasters were directed to download the backdoor-rigged code earlier this month by hackers exploiting vulnerabilities in the blogging package. There is not and never will be an official 2.6.4 version.
If you are a WordPress blog owner and interested only in the security fix, copy wp-includes/feed.php and wp-includes/version.php from the 2.6.5 release package.
More on CyberInsecure:
Leave a Reply
Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.