Common Vulnerabilities and Exposures assigned an identifier CVE-2008-1304 to the following vulnerability: Multiple cross-site scripting (XSS) vulnerabilities in WordPress 2.3.2 allow remote attackers to inject arbitrary web script or HTML via the (1) inviteemail parameter in an invite action to wp-admin/users.php and the (2) to parameter in a sent action to wp-admin/invites.php. http://www.securityfocus.com/archive/1/archive/1/489241/100/0/threaded http://www.hackerscenter.com/index.php?/Latest-posts/114-WordPress-Multiple-Cross-Site-Scripting-Vulnerabilities.html?id=114 http://www.securityfocus.com/bid/28139 http://securitytracker.com/id?1019564 http://xforce.iss.net/xforce/xfdb/41056 http://xforce.iss.net/xforce/xfdb/41055
I'm quite confused by this CVE id and it's description. Original report mentions WP 2.3.2, but there is not invites.php or actually no 'invite' anywhere in the WP 2.3.2 or 2.3.3 sources. So this seems to affect either some customized WP version, WP with some plugin or multi-user WP (WPMU, http://mu.wordpress.org/, reported to power wordpress.com blogs). WPMU does have invite functionality, but its latest version is 1.3.3 (according to the download page).
So it sounds like we do not have to do anything, right? All supported Fedora versions are using 2.3.3. The CVE is only talking about 2.3.2. So for now, I would say, we do not need to react.
CVE description only mentions 2.3.2, as that's what is listed in the initial report (second link in comment #0 in this bug). As I mentioned above, it does not even seem to affect WP 2.3.2. So unless anyone can see something obvious I may be overlooking, I'm tempted to close-notabug this.