Daily cyber threats and internet security news: network security, online safety and latest security alerts
November 27th, 2008

XSS Flaw Fixed In Latest WordPress 2.6.5

WordPress has fixed a cross-site scripting (XSS) flaw in its blogging software. The flaw only affects IP-based virtual servers running on Apache 2.x. Version 2.6.5 also addresses three unrelated performance and stability bugs with the open source package.

The first prevents accidentally saving post meta information to a revision. The second prevents XML-RPC from fetching incorrect post types. The third adds some user ID sanitization during bulk delete requests. For a list of changed files, consult the full changeset between 2.6.3 and 2.6.5.

In those setups it might be possible for hackers to rig systems so that they serve up malicious Java Script from domains under their control.

WordPress has jumped from version 2.6.3 to 2.6.5 of the software in order to avoid confusion with 2.6.4, a fake version recently offered up by black hats via a bogus site WordpresZ. Webmasters were directed to download the backdoor-rigged code earlier this month by hackers exploiting vulnerabilities in the blogging package. There is not and never will be an official 2.6.4 version.

If you are a WordPress blog owner and interested only in the security fix, copy wp-includes/feed.php and wp-includes/version.php from the 2.6.5 release package.

Share this item with others:

More on CyberInsecure:
  • WordPress Multiple SQL Injection Vulnerabilities
  • WordPress 2.8.3 Remote Admin Password Reset Vulnerability
  • XSS Worm At Affects 2525 Profiles
  • WordPress Cookie Integrity Protection Allows Unauthorized Access
  • WordPress Parameter Directory Traversal Vulnerability

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: XSS Flaw Fixed In Latest WordPress 2.6.5

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.