Slashdot Mirror

← Back to Stories (view on slashdot.org)

Critical XSS Flaws Patched In WordPress and Popular Plug-In

Posted by timothy on from the switch-to-slashcode dept.

itwbennett writes The WordPress development team on Thursday released critical security updates that address an XSS vulnerability in the comment boxes of WordPress posts and pages. An attacker could exploit this flaw to create comments with malicious JavaScript code embedded in them that would get executed by the browsers of users seeing those comments. 'In the most obvious scenario the attacker leaves a comment containing the JavaScript and some links in order to put the comment in the moderation queue,' said Jouko Pynnonen, the security researcher who found the flaw.

3 of 41 comments (clear)

  1. Regular expressions by GeLeTo · · Score: 1, Insightful

    Sanitizing HTML input with regular expressions, what could possibly go wrong?

  2. Re:There's a solution by drinkypoo · · Score: 3, Insightful

    The real question is, Why is anybody still runing WordPress?

    Because Drupal has security flaws, too.

    Not everyone wants to write their own CMS and deal with the security issues. Wordpress probably is the absolutely worst choice, though.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  3. Re:There's a solution by Zedrick · · Score: 4, Insightful

    Because it's very easy to use for people with their own domain but little tech knowledge, it has a massive amount of themes and plugins to choose from (which I admit can be a problem) and it has much less security issues than any comparable CMS.

    I've worked with hosting abuse for a long time, and it's fairly rare to see a hacked WP nowadays - unless the owner of the site has turned off auto-updating. Hacked Joomla-, modX- or Drupal-sites are much more common.