Poor WordPress documentation trips developers, yields plug-ins with XSS flaw

Ambiguous WordPress documentation led many plug-in and theme developers to make an error that exposed websites to cross-site scripting (XSS) attacks.

Such attacks involve tricking a site’s users into clicking on specially crafted URLs that execute rogue JavaScript code in their browsers in the context of that website.

The impact depends on the user’s role on the website. For example, if victims have administrative privileges, attackers could trigger rogue administrative actions. If victims are regular users, attackers could steal their authentication cookies and hijack their accounts.

The vulnerability stems from insecure use of two WordPress functions called add_query_arg and remove_query_arg and was discovered recently by researchers from code auditing company Scrutinizer.

To read this article in full or to leave a comment, please click here

Read more: Poor WordPress documentation trips developers, yields plug-ins with XSS flaw

Story added 21. April 2015, content source with full text you can find at link above.