Launchpad.net

CVE 2007-1049

Cross-site scripting (XSS) vulnerability in the wp_explain_nonce function in the nonce AYS functionality (wp-includes/functions.php) for WordPress 2.0 before 2.0.9 and 2.1 before 2.1.1 allows remote attackers to inject arbitrary web script or HTML via the file parameter to wp-admin/templates.php, and possibly other vectors involving the action variable.

Related bugs and status

CVE-2007-1049 (Candidate) is related to these bugs:

Bug #89654: wordpress in Edgy/Dapper has an unsettlingly large number of unfixed CVEs

		In	Importance	Status
89654	wordpress in Edgy/Dapper has an unsettlingly large number of unfixed CVEs	wordpress (Ubuntu)	Undecided	Fix Released
89654	wordpress in Edgy/Dapper has an unsettlingly large number of unfixed CVEs	wordpress (Ubuntu Dapper)	Undecided	Won't Fix
89654	wordpress in Edgy/Dapper has an unsettlingly large number of unfixed CVEs	wordpress (Ubuntu Edgy)	Undecided	Won't Fix

See the

CVE page on Mitre.org for more details.

Launchpad.net

CVE 2007-1049

Related bugs and status

Related bugs

References