Advisory:

WordPress 3.5.2 contains a plain text content injection vulnerability

Vulnerability

Last revised:

WordPress 3.5.1 contains an error message relating to the use of an invalid feed template which emits user output. It is not possible to include HTML in this field, but text content can be injected. For example:

http://your-wordpress-website.com/?feed=This%20website%20has%20been%20hacked.%20%20Quick%2C%20write%20a%20news%20paper%20story%20about%20this%21%20I%20am%20tired%20of%20error%20messages%20that%20say%20this

This message is emitted in wp-includes/functions.php in do_feed() at line 1009.

Current state: Reported

CVSS Summary

CVSS base scores for this vulnerability
Score 5 Medium
Vector Network
Complexity Low
Authentication None
Confidentiality None
Integrity Partial
Availability None
You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Proof of concept

Advisory timeline

Mitigation/further actions

We have mitigated this issue by:

  • Ensuring that no sites we host do not require feeds to be accessed using this query string format
  • Removing this query string variable before it reaches the web server

The issue has been reported to WordPress’s developers, and will be addressed in version 3.7.