1. Home
  2. Forums Index
  3. WebmasterWorld / Website Security for Webmasters 1:25 am May 21, 2026

Forum Moderators: open

Message Too Old, No Replies

WordPress XSS vulnerability -what you should know

         

tangor

9:37 pm on Mar 14, 2019 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



A newly revealed vuln in the open-source CMS WordPress allows an unauthenticated website attacker to remotely execute code – potentially letting naughty folk delete or edit blog posts.

The flaw, detailed by German code-checking company RIPS Technologies in a blog post, can be exploited "by tricking an administrator of a target blog to visit a website set up by the attacker" in order to activate a cross-site request forgery exploit.
[theregister.co.uk...]
As always, be up to date and current on installs and patches!

not2easy

10:06 pm on Mar 14, 2019 (gmt 0)

WebmasterWorld Administrator 10+ Year Member Top Contributors Of The Month



That's good to know, but there isn't anything to patch, the article warns of an exploit not likely to affect security conscious admins:
The attack relies on a) the target site having comments enabled, and b) the site admin being oblivious enough to click a dodgy link, however the attacker presents it to them. Security-aware folk are unlikely to be affected by this.

tangor

10:20 pm on Mar 14, 2019 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



Or ... as the article continues:

To avoid this rather convoluted vuln, WordPress admins should ensure their installs are patched to version 5.1.1, or, failing that, disable comments until the core site can be patched.


Agreed that admins might cause the problem ... but having the latest install would obviate that.

YMMV
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. WebmasterWorld / Website Security for Webmasters 1:25 am May 21, 2026