WordPress Upload.PHP Cross-Site Scripting Vulnerability

Bugtraq ID:	25158
Class:	Input Validation Error
CVE:	CVE-2007-4139
Remote:	Yes
Local:	No
Published:	Aug 01 2007 12:00AM
Updated:	May 07 2015 05:36PM
Credit:	Benjamin Flesch is credited with the discovery of this vulnerability.
Vulnerable:	WordPress WordPress 2.2.1
Not Vulnerable:

WordPress Upload.PHP Cross-Site Scripting Vulnerability

WordPress is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user. This may help the attacker steal cookie-based authentication credentials and launch other attacks.

This issue affects WordPress 2.2.1; prior versions may also be affected.

WordPress Upload.PHP Cross-Site Scripting Vulnerability

An attacker may exploit this issue by enticing an unsuspecting user to follow a malicious URI.

WordPress Upload.PHP Cross-Site Scripting Vulnerability

Solution:
The vendor released updates to address this issue. Please see the references for more information.

WordPress Upload.PHP Cross-Site Scripting Vulnerability

References:

• Wordpress uploads.php Cross-Site Scripting Vulnerability (Wordpress)