Cross Site Scripting vulnerability in Wordpress 2.0.1

This blog post was originally published on the 4th March 2006, but was removed until a patched version of Wordpress was released to give the Wordpress users out there a chance to update their installations.

Wordpress 2.0.1 has an reflected Cross Site Scripting vulnerability in /wp-admin/options-general.php. You need to be logged in to use it. The exploit URL would be something like this:

http://host.domain.tld/wp-admin/options-general.php?page=%3CSCRIPT%3Ealert(%22XSS%22);%3C/SCRIPT%3E

Due to the fact that it’s an reflected version and you have to be logged in to use it I don’t think it’s very suspectable for malicious usage. The fix is pretty simple as seen by the diff below:

$ svn diff wp-admin/admin.php Index: wp-admin/admin.php
===================================================================
— wp-admin/admin.php  (revision 3513)
+++ wp-admin/admin.php  (working copy) @@ -61,7 +61,7 @@
}  if (! file_exists(ABSPATH . “wp-content/plugins/$plugin_page”))
-                       die(sprintf(__(’Cannot load %s.’), $plugin_page));
+                       die(sprintf(__(’Cannot load %s.’), htmlentities($plugin_page)));
if (! isset($_GET[’noheader’])) require_once(ABSPATH . ‘/wp-admin/admin-header.php’);

I have notified the Wordpress security team about this bug, and hopefully we will see a public fix soon.

Take care.

UPDATE: Mark Jaquith and David House on the #wordpress IRC channel worked up an possible exploit scenario, which made me mark this post as private until a public fix for this vulnerability is published. The attack scenario they came up with is the following code. If disguised with something like tinyurl an administrator might be fooled to click on the link and set the password to a pre-defined value (or modify any other settings).