You’ll have to be more specific, exactly what vulnerability are you talking about?
I don’t know of any working XSS vulnerability for 2.2.3, and I try to keep up with this sort of thing. So please be specific.
I don’t see how that is legitimate, script tags get filtered out of comments if you’re not a trusted user. So you can post “alert” all you like, it won’t do anything. Script tags (along with most every other tag) are filtered out by kses.
Thread Starter
quotes
(@quotes)
@otto42
I am confused.
Are you saying that this exploit did not happen?
That is not true.
Right now I am looking at dozens of sites that are running 2.2.3 and have been hacked.
“Been hacked” is different than “WordPress 2.2.3 has a vulnerability”. I can hack your site easily, if your permissions are wrong on the shared server and I gain access to the server through some other site.
Just because a site is hacked doesn’t mean that they went through WordPress to do it.
Tell me what the vulnerability actually is. Otherwise, there isn’t one.
Also, an XSS vulnerability rarely leads to a site compromise. XSS is not generally used a lot by site hackers, they prefer SQL Injection.
Thread Starter
quotes
(@quotes)
They used the exact same exploit that they used to break into previous WordPress versions.
you know thats a crap answer, and its crap because as exploits have been made public, they’ve been fixed in the next versions.
Consequently, you cannot say that.
Not to mention your language “exact same exploit” … absolute crap with a capital C
you think you know something that someone else doesnt, here you go:
security@wordpress.org
They used the exact same exploit that they used to break into previous WordPress versions.
And exactly what exploit would that be?
Like I said, it’s put up or shut up when it comes to exploits. Say exactly what the exploit is. “The same one” isn’t actually saying anything, it just says that you really don’t have any idea what you’re talking about.
With people like Otto42 and whooami holding the fort, I know I am not going to lose sleep over any real or imagined WP vulnerability 🙂
