WordPress 3.0.4 Stored XSS (via Editor role)

As advised before, WordPress revealed 3.0.4 version within security patches which occured because of a vulnerability. However, a high level vulnerability in 3.0.4 declared by a security research group named Anatolia Security.

If WordPress is being used and there are users who have Editor role, this vulnerability will give a chance to seize system for Editors. This vulnerability occurs a XSS attack and authorised staff of WordPress is informed about this.

A recommendation to you, Editor roled user accounts should be suspended for a while. As detailed, an Editor roled user can run an arbitrary code on comment box to access other users and Admin accounts.

Exploit; http://www.exploit-db.com/exploits/15867/
Screenshot; http://img3.imageshack.us/img3/1148/wordpressx.png
Anatolia Security; http://www.anatoliasecurity.com/
Details; http://www.anatoliasecurity.com/Blog/Detay.aspx?bId=8

“WordPress 3.0.4 Stored XSS (via Editor role)” üzerine bir yorum

  1. Aynı durum yorum yöntemiylede oluyor. Eğer sitede ” Bir yönetici her zaman yorumu onaylamalı ” seçeneği etkin değilse de tehlike oluşabiliyor..

    Cevapla

Yorum yapın