WordPress was "born out of a desire for an elegant, well-architectured personal publishing system built on PHP and MySQL and licensed under the GPL. It is the official successor of b2/cafelog. WordPress is fresh software, but its roots and development go back to 2001. It is a mature and stable product. We hope by focusing on user experience and web standards we can create a tool different from anything else out there".
While testing WordPress it was discovered that there is a XSS vulnerability in the CSRF protection of WordPress's administration interface. This might result in a compromise of the admin account and might result in the execution of arbitrary PHP code.
* WordPress version 2.0.5 and prior
* WordPress version 2.0.6
The administration interface within WordPress comes with a token based CSRF protection. When a request is received with an invalid token it is not discarded like in many similar applications, but a warning screen is returned that asks the admin to verify the action by clicking on a link (that contains a valid token).
Unfortunately there was a bug in the way the request information (URL variables) was put into the new link. Due to this fault it was possible to break out of the HTML string context by embedding quotes and HTML tags into the names of URL variables.
Due to this is is possible to launch XSS attacks against admin users currently logged into their WordPress and perform all possible administrative actions (or simply steal the login cookie). Depending on the file permissions on the server (for example a writeable wp-config.php or template file) this can also be exploited to execute arbitrary PHP code.
14. November 2006 - Notified firstname.lastname@example.org
05. January 2007 - WordPress 2.0.6 release
05. January 2007 - Public Disclosure
We strongly recommend to upgrade to WordPress 2.0.6 which also fixes several other security vulnerabilities not covered by this advisory: http://wordpress.org/download/