Input passed to the "file" parameter in wp-admin/templates.php (when "action" is set to "update") is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. Successful exploitation requires that the target user is logged in as an administrator. The vulnerability is confirmed in version 2.1. Prior versions may also be affected. Reproducible: Always Steps to Reproduce:
hi, given that >=2.1 is masked because it needs more testing and considering the long list of security bugs, i would like to mask the whole package. Comments?
I agree, and see bug 163817 which is harldy solved, there is already another XSS! I'm sure Steve will agree too. I vote for a GLSA since wordpress is rather common.
The bug is probably already fixed in 2.1.1, which is in the tree. If it's present in 2.0.9 as well, then I have no problems with masking the whole package.
(In reply to comment #3) > The bug is probably already fixed in 2.1.1, which is in the tree. If it's > present in 2.0.9 as well, then I have no problems with masking the whole > package. > This is what 2.1.1 and 2.0.9 were released to fix AFAIK. And is already noted on bug 163817 See http://bugs.gentoo.org/show_bug.cgi?id=163817#c4
(In reply to comment #4) > And is already noted on bug 163817 See > http://bugs.gentoo.org/show_bug.cgi?id=163817#c4 > we were wrong, that's not the same, sorry. Thank you for having pointed it out. I've just looked into the diff between 2.0.7 2.0.8, and 2.0.9 and the only change in templates.php is between 2.0.9 and 2.1. That's inconsistent with Secunia which says that 2.1 is affected and 2.1.1 is fixed. As for me, 2.0.9 is vulnerable and 2.1 is fixed, but i'm note sure. CVE-2007-0539 = SA23912 = bug 163817 = "pingback" information disclosure http://www.securityfocus.com/bid/22220 CVE-2007-1049 = SA24306 = bug 168449 = templates.php XSS http://www.securityfocus.com/bid/22534
and another one! bug #168529 ... mask?
I can say with certainty that this is fixed in 2.1.2.
*** This bug has been marked as a duplicate of bug 168529 ***