CS, XSS and FPD vulnerabilities in WordPress

2013-07-1500:00:00

vulners.com

JSON

Hello 3APA3A!

These are Content Spoofing, Cross-Site Scripting and Full path disclosure vulnerabilities in WordPress.

At WordPress 3.5.2 release (the same at 3.5.1 release), WP developers mentioned about multiple fixed holes, but not about all - to make it looks like there were less fixed holes. So I'm revealing this information for you.

In March I wrote about Content Spoofing and Cross-Site Scripting vulnerabilities in SWFUpload (http://securityvulns.ru/docs29181.html) (which is also bundled with WordPress), and I mentioned that they concerned only versions before WordPress 3.3.2 and were fixed in version 3.3.2 together with 2012's XSS hole. But I checked these holes in older versions of WP and in version 3.5.1.

And as I found two weeks ago, these CS and XSS vulnerabilities were fixed exactly in WordPress 3.5.1. So versions 3.3.2 - 3.5 are still vulnerable, and in version 3.5.1 the developers included updated version of SWFUpload, without mentioning about these fixes (they like to do such things), only mentioned about the fixes in SWFUpload in version WP 3.5.2.

There are fixed vulnerabilities in WordPress 3.5.2, which are not mentioned in announcement and codex. Like below mentioned Full path disclosure vulnerability (which I disclosed last week), even they have mentioned about FPD during upload.