[VIM] Secunia SA32060 - WordPress MU "s" and "ip_address" Cross-Site Scripting Vulnerabilities

Sullo sullo at cirt.net
Wed Oct 1 15:10:56 UTC 2008

WordPress MU "s" and "ip_address" Cross-Site Scripting Vulnerabilities

Points to this post:

>From Post:
"In /wp-admin/wpmu-blogs.php an attacker can inject javascript code,
the input variables "s" and "ip_address" of GET method aren't properly
sanitized  "

>From Secunia Description:
"Input passed to the "s" and "ip_address" parameters in
wp-admin/wp-blogs.php is not properly sanitised before being returned to
the user. This can be exploited to execute arbitrary HTML and script
code in a user's browser session in context of an affected site."

Note the wp-blogs.php vs wpmu-blogs.php. I've confirmed that
"wp-blogs.php" doesn't exist in the MU downloads below 2.6.0, so the
Secunia text is incorrect.

Just wanted to make sure everyone caught that and see if Secunia can


More information about the VIM mailing list