from Hacker News

WordPress XSS 0day

by jchavannes on 4/27/15, 7:01 PM with 3 comments

  • by lol768 on 4/27/15, 7:14 PM

    The blogpost linked (http://klikki.fi/adv/wordpress2.html) in the article is rather worrying to read - especially the "Solution" section which suggests Klikki Oy had a lot of trouble communicating with WordPress and getting the bug fixed.

    Interestingly, the WordPress blog states "A few hours ago, the WordPress team was made aware of a cross-site scripting vulnerability, which could enable commenters to compromise a site. The vulnerability was discovered by Jouko Pynnönen."

    I'm not very familiar with WordPress or its plugins, but does it make use of Content-Security-Policy headers? Those might've helped to minimise the risk (at least for users with modern browsers) to users browsing WordPress sites.

  • by breakingcups on 4/28/15, 11:04 AM

    Let's wait on the obligatory Cloudflare blogpost talking about how their paying customers are protected.