A proof-of-concept code exploiting newly discovered XSSvulnerabilities for the latest version of Wordpress (2.2.1) was postedtoday on a security blog.
The researcher unveiled seven vulnerabilities, cross-site scripting(XSS) or SQL injections, whose consequences range from benign toserious, the critical ones potentially leading to blog compromising. Inhis haste to show his skills, this person also released aproof-of-concept (PoC) code exploiting one of these vulnerabilities.
The PoC in itself, as explained, is supposedly not malicious, and isdesigned to raise awareness and patch vulnerable versions of theWordPress publishing platform. In a few words, here’s how it works:
- A WordPress administrator browses the “Comments manager” in the administration panel
- She clicks a link, which redirects to the PoC author’s Web page.This page checks the referrer, to see whether it might originate from alogged-on WordPress administrator (the URL would contain...