How to play with an Wordpress Admin
February 17th, 2007Just found some XSS which could affect every Wordpress.com Blog Admin out there, the link’s on the bottom of this Post.
Some hours later I stumbled over another interesting flaw, a Redirection Script inside Wordpress, just add /wp-login.php?action=logout&redirect_to=http://mybeni.tk
to the blog root and you can send people anywhere you want (I’m sad this doesnt work with the “data:text/html” stuff)
For the folks with the ability to decompile Flash applets, please have a look at this Link: Seems like someone could run his specially craftet PHP script on the wordpress.com server, would be nice if you contact me.
Some XSS on every wordpress.com blog out there, works only on the admin panel of the blog (that means only on the admin): Wordpress.com XSS
Did you Like this Post? Try these ones! :)
SEO Title Tag Wordpress Plugin Vulnerability: Cross-Site Scripting in my own Homepage on August 16th, 2007
This is the first Weblog XSS Worm on July 31st, 2007
Official Wordpress Updates - 4 fucking days faster than Mozilla on August 5th, 2007
How to... Pagerank Five on May 11th, 2007
res:// File Enumeration. Not on Windows, not using IE - but hell, it works! on July 26th, 2007
