Security Bytes

Dec 30 2010   2:13PM GMT

Update fixes critical WordPress vulnerability

ITKE ITKE Profile: ITKE

Blogging platform vulnerable to cross-scripting attacks

By Ron Condon, UK Bureau Chief

Put down that champagne bottle and go back to your computer. It may be tempting to begin celebrating the start of a new year, but according to WordPress, a newly discovered vulnerability in the widely used blogging platform really warrants instant attention.

The company has discovered a security bug affecting millions of blogs. The problem is in its HTML sanitation library, called KSES, which is supposed to filter out undesirable bits of HTML code. The vulnerability, which has been flagged as ‘critical’, could expose the WordPress blog to a cross-site scripting attack.

Researcher Matt Mullenweg, writing on the WordPress blog:

I realize an update during the holidays is no fun, but this one is worth putting down the eggnog for. … [It] is a very important update to apply to your sites as soon as possible because it fixes a core security bug in our HTML sanitation library, called KSES. I would rate this release as “critical.”

WordPress 3.0.4 is available immediately.

Chester Wisniewski, a senior security advisor at Sophos Canada said the WordPress vulnerability can be easily exploited by an attacker. :

“On initial inspection it would appear to be quite trivial for folks with malicious intent to exploit these flaws, so consider applying this update before popping the cork on the bubbly on New Year’s Eve.”

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: