An improper input sanitization flaw was found in way Wordpress performed plugin removal. A remote attacker, with Wordpress administrator privilege, could use this flaw to conduct cross-site scripting (XSS) attacks (execute arbitrary HTML or scripting code) via a specially-crafted plugin name, author or directory path. References: [1] http://codex.wordpress.org/Version_3.0.2 Upstream changeset: [2] http://core.trac.wordpress.org/changeset/16373
This issue affects the versions of the wordpress package, as shipped with Fedora release of 13 and 14. Please fix. -- This issue affects the version of the wordpress package, as present within EPEL-5 repository. Please schedule and update.
CVE Request: http://www.openwall.com/lists/oss-security/2010/12/02/1
Created wordpress tracking bugs for this issue Affects: fedora-all [bug 659319]