Researchers have found a string of weaknesses in the WordPress default installation page, including PHP code execution and a persistent cross-site scripting flaw, affecting versions 3.3.1 and later. WordPress officials say that they’re not planning to fix the vulnerabilities as there’s only a small possibility of exploitation by attackers.
The flaws were found by researchers at TrustWave’s SpiderLabs, and in their advisory on the WordPress bugs, they describe how attackers would be able to exploit them. In the advisory, the researchers also include code that can be used to demonstrate the problems. Executing attacks on the vulnerabilities does require some specific conditions to be present.
There also are other XSS vulnerabilities in the setup page for WordPress installations.
Officials from WordPress said that there is little risk of exploitation, so they will not be publishing patches for the vulnerabilities.
“We give priority to a better user experience at the install process. It is unlikely a user would go to the trouble of installing a copy of WordPress and then not finishing the setup process more-or-less immediately. The window of opportunity for exploiting such a vulnerability is very small,” WordPress officials said in response to the disclosures.