WordPress 2.6.3 relies on the REQUEST superglobal array in certain dangerous situations, which makes it easier for remote attackers to conduct delayed and persistent cross-site request forgery (CSRF) attacks via crafted cookies, as demonstrated by attacks that (1) delete user accounts or (2) cause a denial of service (loss of application access). NOTE: this issue relies on the presence of an independent vulnerability that allows cookie injection. http://openwall.com/lists/oss-security/2008/11/14/1 http://bugs.debian.org/504771
Created wordpress tracking bugs for this issue CVE-2008-5113 Affects: F8 [bug #471990] CVE-2008-5113 Affects: F9 [bug #471991] CVE-2008-5113 Affects: Fdevel [bug #471992]
2.6.5 is available which seems to fix the security vulnerability http://wordpress.org/development/2008/11/wordpress-265/ They do not mention the CVE number as far as I see it but the changes to feed.php seems to change the behaviour concerning the REQUEST variable: http://trac.wordpress.org/changeset?old_path=tags%2F2.6.3&old=&new_path=tags%2F2.6.5&new=#file2 I will push updates for wordpress.
From this quick look at the 2.6.3 -> 2.6.5 changeset, I fail to see any change that may be possibly related to this issue. $_REQUEST still seems widely used in 2.6.5, feed.php is unlikely to be the only place to be affected. Please do not mention this bug/CVE in the 2.6.5 update request.
According to http://codex.wordpress.org/CVEs#2008 this only affected 2.6.3.