A pair of researchers have identified a cross-site scripting vulnerability in WordPress 3.3, however the bug is only reproducible on installations that were installed using an IP address rather than a domain.
The vulnerability was identified and published by Aditya Modha and Samir Shah, who posted some code that will demonstrate the vulnerability in affected installations. They said in their analysis of the flaw that the bug can be triggered by posting a specially crafted comment to a WordPress blog that is vulnerable. However, it doesn’t appear that the number of vulnerable installations is very high.
Another security researcherm Ryan Dewhurst, said he was corresponding with Modha and Shah and was having problems reproducing the vulnerability. They eventually worked out the bit about installations put in via domains versus IP addresses.
“The XSS occurs because $_SERVER[‘REQUEST_URI’] (the URI which was given in order to access the page) was used within output before first being sanitized. Or better yet, it shouldn’t have been used at all,” Dewhurst wrote in his analysis.
“The reason I couldn’t reproduce it or why the researchers couldn’t reproduce outside of their environment? The reason is the ‘else’ never gets triggered when WordPress was installed via a domain. If you installed WordPress by accessing http://192.168.100.110/, for example, you are vulnerable. If however, like most people, but not all, installed WordPress via the domain name, http://www.ethicalhack3r.co.uk you are not vulnerable.”
WordPress 3.3 is the most recent version of the popular blogging software and was just released in mid-December. Dewhurst said that there is a simple fix for the bug, even without a patch from WordPress.
“Put $_SERVER[‘REQUEST_URI’] through esc_html() first, esc_html($_SERVER[‘REQUEST_URI’]),” he wrote.