Blogging platform vulnerable to cross-scripting attacks
By Ron Condon, UK Bureau Chief
Put down that champagne bottle and go back to your computer. It may be tempting to begin celebrating the start of a new year, but according to WordPress, a newly discovered vulnerability in the widely used blogging platform really warrants instant attention.
The company has discovered a security bug affecting millions of blogs. The problem is in its HTML sanitation library, called KSES, which is supposed to filter out undesirable bits of HTML code. The vulnerability, which has been flagged as ‘critical’, could expose the WordPress blog to a cross-site scripting attack.
Researcher Matt Mullenweg, writing on the WordPress blog:
I realize an update during the holidays is no fun, but this one is worth putting down the eggnog for. … [It] is a very important update to apply to your sites as soon as possible because it fixes a core security bug in our HTML sanitation library, called KSES. I would rate this release as “critical.”
WordPress 3.0.4 is available immediately.
Chester Wisniewski, a senior security advisor at Sophos Canada said the WordPress vulnerability can be easily exploited by an attacker. :
“On initial inspection it would appear to be quite trivial for folks with malicious intent to exploit these flaws, so consider applying this update before popping the cork on the bubbly on New Year’s Eve.”