WordPress AndyBlue Theme Searchform.PHP Cross-Site Scripting Vulnerability
TITLE: WordPress AndyBlue Theme Searchform.PHP Cross-Site Scripting Vulnerability
CLASS: Input Validation Error
CVE: CVE-2007-3239
REMOTE: Yes
LOCAL: No
PUBLISHED: Jun 15 2007 12:00AM
UPDATE: Jun 15 2007 07:19PM
CREDIT: zamolx3@gmail.com reported this vulnerability.
VULNERABLE:
WordPress AndyBlue Theme For WordPress 1.4NOT VULNERABLE:
Vai alla pagina originale su Security Focus
Discussion
The AndyBlue theme for WordPress is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
The AndyBlue theme for WordPress 1.4 is vulnerable; other versions may also be affected.
Exploit
An attacker may exploit this issue by enticing an unsuspecting user to follow a malicious URI.
Solution
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: mailto:vuldb@securityfocus.com.
References
References:
- AndyBlue 1.x (theme for WordPress) (AndyBlue Theme for Wordpress)
- AndyBlue XSS advisory (xssnews.com)
- WordPress Homepage (WordPress)