Description

Cross-site scripting (XSS) vulnerability in the wp_explain_nonce function in the nonce AYS functionality (wp-includes/functions.php) for WordPress 2.0 before 2.0.9 and 2.1 before 2.1.1 allows remote attackers to inject arbitrary web script or HTML via the file parameter to wp-admin/templates.php, and possibly other vectors involving the action variable.

Remediation

References

CVE-2007-1049

Related Vulnerabilities

Magento Observable Differences in Behavior to Error Inputs Vulnerability (CVE-2020-15151)

WordPress 5.1.x Multiple Vulnerabilities (5.1 - 5.1.17)

MySQL CVE-2020-14800 Vulnerability (CVE-2020-14800)

WordPress Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2021-39200)

WordPress Plugin StatPressCN 'wp-admin/admin.php' Multiple Cross-Site Scripting Vulnerabilities (1.9.0)

Severity

Medium

Classification

CVE-2007-1049

Tags

Missing Update Known Vulnerabilities