Description

Cross-site scripting (XSS) vulnerability in functions.php in the default theme in WordPress 2.2 allows remote authenticated administrators to inject arbitrary web script or HTML via the PATH_INFO (REQUEST_URI) to wp-admin/themes.php, a different vulnerability than CVE-2007-1622. NOTE: this might not cross privilege boundaries in some configurations, since the Administrator role has the unfiltered_html capability.

Remediation

References

CVE-2007-3238

Related Vulnerabilities

WordPress Plugin Poll Maker SQL Injection (3.4.1)

WordPress Plugin SRS Simple Hits Counter SQL Injection (1.0.4)

TYPO3 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2020-26227)

Moodle Permissions, Privileges, and Access Controls Vulnerability (CVE-2013-2079)

WordPress Plugin Live Chat for Fanpage Cross-Site Scripting (2.0.1)

Severity

Medium

Classification

CVE-2007-3238

Tags

Missing Update Known Vulnerabilities