Red Hat Bugzilla – Bug 437754
CVE-2008-1304 wordpress: multiple XSS issues in invite action
Last modified: 2016-03-04 07:19:28 EST
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-1304 to the following vulnerability:
Multiple cross-site scripting (XSS) vulnerabilities in WordPress 2.3.2
allow remote attackers to inject arbitrary web script or HTML via the
(1) inviteemail parameter in an invite action to wp-admin/users.php
and the (2) to parameter in a sent action to wp-admin/invites.php.
I'm quite confused by this CVE id and it's description. Original report
mentions WP 2.3.2, but there is not invites.php or actually no 'invite' anywhere
in the WP 2.3.2 or 2.3.3 sources.
So this seems to affect either some customized WP version, WP with some plugin
or multi-user WP (WPMU, http://mu.wordpress.org/, reported to power
wordpress.com blogs). WPMU does have invite functionality, but its latest
version is 1.3.3 (according to the download page).
So it sounds like we do not have to do anything, right?
All supported Fedora versions are using 2.3.3. The CVE is only talking about 2.3.2.
So for now, I would say, we do not need to react.
CVE description only mentions 2.3.2, as that's what is listed in the initial
report (second link in comment #0 in this bug). As I mentioned above, it does
not even seem to affect WP 2.3.2.
So unless anyone can see something obvious I may be overlooking, I'm tempted to