WordPress 3.3 XSS Vulnerability Patched (3.3.1 Released)

  • January 3, 2012

We just learned of a reflected XSS vulnerability in WordPress 3.3 via the comments form (wp-comments.php). It is explained in detail here.

The disclosed vulnerability can only be triggered via Internet Explorer according to the disclosing party, our tests lead to the same result.

To further note, this is hard to reproduce because it does not get triggered when WordPress is installed via a domain. If you’re running WordPress 3.3, and WordPress was installed via a domain, you’re not vulnerable. (ethicalhack3r)

We do not consider this to be a serious vulnerability, however, we recommend updating to WordPress 3.3.1 since the vulnerability can be used in targeted attacks. More info on the release can be found in the WordPress Codex, over via the release post.

David is a Security Researcher at Sucuri. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

Related Tags
8 comments

    1. Hey Mika, this should clear it up a bit – http://www.ethicalhack3r.co.uk/security/wordpress-3-3-cross-site-scripting-xss/

      If your site is accessible by IP vs. Domain you are vulnerable.

  2. Pingback: wp-coder.net » WordPress 3.3.1 is available, ready for your upgradin’
  3. Pingback: A Free wordpress newsletter » WordPress 3.3.1 is available, ready for your upgradin’
  7. Pingback: 2012 Web Malware Trends Report Summary | Sucuri Blog

Comments are closed.

Related Categories
You May Also Like