Send an email with the details to security@wordpress.org.
This was reported to us last week. We’re still looking into it and will likely add a sanity check here, though we can currently determine that this is an extremely minor XSS issue and will not compromise an installation.
For this to work, you would have to be an administrator on a single site install, or a super administrator on a multisite install, rendering the exploit pretty much useless as admins can do anything anyway. We also perform proper capability checks and most importantly a nonce and referer check, so it poses no CSRF or privilege escalation threat unless of course the server is already compromised for both the filesystem and database, at which point you’re toast anyway.
For those wondering, this is fixed in WordPress 3.1.
Roy
(@gangleri)
This DOES make me wonder if we can wait for 3.1 or when it that version due?
As explained in my first comment, this vulnerability is simply not exploitable, hence why we’re not preparing a version 3.0.2.
The hacks you’re seeing are server-level issues, not application-level. There are no known exploitable security vulnerabilities in WordPress and haven’t been in more than a year.
Roy
(@gangleri)
Ah indeed, sorry and thanks.
