digital bites

Latest WP 2.0.1 is vulnerable to severall cross-site-scripting (XSS) attacs through the comments feature. This issue was discovered by the Neo Security Team.

To fix the issue, add htmlentities() around each call to trim() in wp-comments-post.php:

$comment_author = htmlentities(trim($_POST['author'])); $comment_author_email = htmlentities(trim($_POST['email'])); $comment_author_url = htmlentities(trim($_POST['url'])); $comment_content = htmlentities(trim($_POST['comment']));

This entry was posted on Friday, March 3rd, 2006 at 12:57 pm and is filed under WordPress. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.