WordPress Issues Critical Update

WordPress has detected and fixed a  cross-site scripting (XSS) vulnerability. WordPress 3.04 contains the fix that founder Matt Mullenweg calls “critical.” Hosted WordPress.com customers don’t need to worry, as security updates happen automatically for them.

XSS attacks can be used to steal login information or other sensitive information from visitors to a particular site. According to ReadWriteWeb staff hacker Tyler Gilles, this is similar to XSS vulnerability that affected Twitter users recently. He notes that WordPress’s fix is similar to Twitter’s.

The vulnerability was found in KSES, WordPress’s HTML sanitation library. WordPress was first notified of the issue by Mauro Gentile and Jon Cave.

Mullenweg writes that although the WordPress team has given the update “a lot of thought and review” it would like to have the update reviewed by as many security researchers as possible and invites everyone to look at the changeset.

Developers wanting to avoid XSS vulnerabilities in their own projects may wish to check out XSS (Cross Site Scripting) Prevention Cheat Sheet from The Open Web Application Security Project (OWASP). According to OWASP, XSS is the second most common security vulnerability on the web.




Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s