A Cross-site scripting (XSS) vulnerability has been in found in wp-admin/template.php which could allow malicious web users to inject arbitary web scripts or HTML code through the file parameter.
This exploit could allow remote attackers to do nasty things by injecting php or html codes into your wordpress core files.
Vulnerable versions of Wordpress:
- WordPress, 2.0.5
- WordPress, 2.0.4
- WordPress, 2.0.3
- WordPress, 2.0.2
- WordPress, 2.0.1
- WordPress, 2.0
- WordPress, 1.5.
- WordPress, 1.5.1.3
- WordPress, 1.5.1.2
- WordPress, 1.5.1
- WordPress, 1.5
- WordPress, 1.2.2
- WordPress, 1.2.1
- WordPress, 1.2
- WordPress, 0.71
- WordPress, 0.7
- Wordpress, (B2) 0.6.2.1
- Wordpress, (B2) 0.6.2
The simplest way to fix this exploit would be to download the patched version of template.php and then replace it with your exiting wp-admin/template.php
Read more about this exploit on Operation N or Security Focus
Wordpress is a powerful blogging script, I’m sure lots of you might be blogging using Wordpress. Don’t wait any longer, go patch your template.php file now.


Discussion
Comments for “Wordpress template.php Exploit Discovered”