WordPress has grown in popularity in recent months, emerging as a leading free alternative to Movable Type, which alienated many users with new licensing terms. The vulnerability could allow hackers to create a URL that generates pages in WordPress from content created by the hacker, rather than the site owner. An unsuspecting user following such a link would be sent to the trusted WordPress-based site, but encounter fake content that could include a range of exploits, such as links that infect their computers with spyware or trojans.
"Nearly every file in the administration panel of WordPress is vulnerable for XSS attacks," writes Thomas Waldegger, who discovered the flaws and posted them to a security mailing list. Waldegger said he had reported the flaw but received no response from the WordPress development team, which acknowledged the vulnerability and said a fix is forthcoming.
"We are disappointed that we were not given the opportunity to release fixes for the problems before the information was made public, as is the usual courtesy in the security community," said a post on the WordPress forum. "However, that's water under the bridge at this point. Expect a WordPress 1.2.1 release soon, which will address these issues."
Cross-site scripting is a well known technique which involves injecting the text of code to be executed by the browser into urls that generate dynamic pages. These attacks have been a historic problem for PHP-based content management systems (CMS) such as the popular PHPNuke and PostNuke. These apps are commonly targeted by hackers, as they offer numerous scripts that generate pages based on info appended to URLs, usually from links within the site. To be properly secured, these scripts should validate URLs to check for rogue code.
WordPress, which is released under the GNU General Public License (GPL), gained users after Six Apart tightened the licensing terms on Movable Type, prompting platform shifts from alienated MT power users.