Description

WordPress MU is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. WordPress MU versions prior to 2.7 are vulnerable.

Remediation

Update to WordPress MU version 2.7 or latest

References

http://www.exploit-db.com/exploits/8196/

http://www.securityfocus.com/archive/1/501667

http://packetstormsecurity.org/files/view/75622/wordpressmuhost-xss.txt

Related Vulnerabilities

MySQL Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2020-14634)

WordPress Plugin My Category Order 'parentID' Parameter SQL Injection (2.8)

TYPO3 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2009-3634)

WordPress Weak Password Recovery Mechanism for Forgotten Password Vulnerability (CVE-2017-8295)

WordPress Plugin Canto Multiple Server-Side Request Forgery Vulnerabilities (1.7.0)

Severity

High

Classification

CVE-2009-1030 CWE-79 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Tags

Missing Update XSS