CVSS Summary
| Score | 5 Medium |
|---|---|
| Vector | Network |
| Complexity | Low |
| Authentication | None |
| Confidentiality | None |
| Integrity | Partial |
| Availability | None |
Advisory:
WordPress 3.5.2 contains a plain text content injection vulnerability
Vulnerability
Last revised:
WordPress 3.5.1 contains an error message relating to the use of an invalid feed template which emits user output. It is not possible to include HTML in this field, but text content can be injected. For example:
http://your-wordpress-website.com/?feed=This%20website%20has%20been%20hacked.%20%20Quick%2C%20write%20a%20news%20paper%20story%20about%20this%21%20I%20am%20tired%20of%20error%20messages%20that%20say%20this
This message is emitted in wp-includes/functions.php in do_feed() at line 1009.
Current state: Reported
Proof of concept
Advisory timeline
Mitigation/further actions
We have mitigated this issue by:
- Ensuring that no sites we host do not require feeds to be accessed using this query string format
- Removing this query string variable before it reaches the web server
The issue has been reported to WordPress’s developers, and will be addressed in version 3.7.