Vulnerability Name:

CVE-2008-5278 (CCN-46882)

Assigned:2008-11-25
Published:2008-11-25
Updated:2017-08-08
Summary:Cross-site scripting (XSS) vulnerability in the self_link function in in the RSS Feed Generator (wp-includes/feed.php) for WordPress before 2.6.5 allows remote attackers to inject arbitrary web script or HTML via the Host header (HTTP_HOST variable).
http://wordpress.org/development/2008/11/wordpress-265/

The security issue is an XSS exploit discovered by Jeremias Reith that fortunately only affects IP-based virtual servers running on Apache 2.x. If you are interested only in the security fix, copy wp-includes/feed.php and wp-includes/version.php from the 2.6.5 release package.
CVSS v3 Severity:5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.7 Low (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
4.3 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-79
Vulnerability Consequences:Gain Access
References:Source: CCN
Type: BugTraq Mailing List, Tue Nov 25 2008 - 16:21:10 CST
WordPress XSS vulnerability in RSS Feed Generator

Source: MITRE
Type: CNA
CVE-2008-5278

Source: OSVDB
Type: UNKNOWN
50214

Source: CCN
Type: SA32882
WordPress "Host" Header RSS Feed Script Insertion Vulnerability

Source: SECUNIA
Type: UNKNOWN
32882

Source: SECUNIA
Type: UNKNOWN
32966

Source: SREASON
Type: UNKNOWN
4662

Source: CCN
Type: WordPress Web site
WordPress 2.6.5

Source: CONFIRM
Type: Patch, Vendor Advisory
http://wordpress.org/development/2008/11/wordpress-265/

Source: CCN
Type: OSVDB ID: 50214
WordPress wp-includes/feed.php self_link() Function Host Header RSS Feed XSS

Source: BUGTRAQ
Type: Exploit
20081125 WordPress XSS vulnerability in RSS Feed Generator

Source: BID
Type: UNKNOWN
32476

Source: CCN
Type: BID-32476
WordPress 'wp-includes/feed.php' Cross-Site Scripting Vulnerability

Source: XF
Type: UNKNOWN
wordpress-feed-xss(46882)

Source: XF
Type: UNKNOWN
wordpress-feed-xss(46882)

Source: FEDORA
Type: UNKNOWN
FEDORA-2008-10483

Source: FEDORA
Type: UNKNOWN
FEDORA-2008-10468

Vulnerable Configuration:Configuration 1:
  • cpe:/a:wordpress:wordpress:0.6.2:*:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:0.6.2:beta_2:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:0.6.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:0.6.2.1:beta_2:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:0.7:*:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:0.71:-:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:0.71-gold:*:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:0.72:*:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:0.72:beta1:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:0.72:beta2:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:0.72:rc1:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:0.711:*:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:1.0:-:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:1.0-platinum:*:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:1.0.1:-:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:1.0.1-miles:*:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:1.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:1.0.2-blakey:*:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:1.2:-:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:1.2:beta:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:1.2-delta:*:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:1.2-mingus:*:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:1.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:1.2.2:*:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:1.3.1:*:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:1.4:*:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:1.5:*:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:1.5-strayhorn:*:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:1.5.1:*:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:1.5.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:1.5.1.2:*:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:1.5.1.3:*:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:1.5.2:*:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:1.6:*:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:2.0:-:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:2.0.1:-:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:2.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:2.0.3:-:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:2.0.4:*:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:2.0.5:-:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:2.0.6:-:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:2.0.7:-:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:2.0.8:-:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:2.0.9:-:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:2.0.10:-:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:2.0.10_rc1:*:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:2.0.10_rc2:*:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:2.0.11:-:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:2.1:-:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:2.1:alpha_3:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:2.1.1:-:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:2.1.2:*:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:2.1.3:-:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:2.1.3_rc1:*:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:2.1.3_rc2:*:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:2.2:-:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:2.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:2.2.1:-:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:2.2.2:*:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:2.2.3:*:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:2.2_revision5002:*:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:2.2_revision5003:*:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:2.3:-:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:2.3:beta3:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:2.3:rc1:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:2.3.1:-:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:2.3.1:rc1:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:2.3.2:-:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:2.3.3:*:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:2.5:-:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:2.5.1:*:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:2.6:-:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:2.6.1:-:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:*:*:*:*:*:*:*:* (Version <= 2.6.3)

    • Configuration CCN 1:
  • cpe:/a:wordpress:wordpress:0.7:*:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:1.2:-:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:1.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:1.5.1.2:*:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:1.5.2:*:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:2.0.1:-:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:2.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:2.0.3:-:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:2.0.5:-:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:2.0.6:-:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:2.1.2:*:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:2.1.3:-:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:2.2:-:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:2.2.1:-:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:2.3:-:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:2.0.11:-:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:2.3.2:-:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:2.3.3:*:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:2.3.1:-:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:2.2.3:*:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:2.2.2:*:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:2.0.10:-:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:2.0.7:-:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:2.0.4:*:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:2.0:-:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:2.1.3:rc2:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:2.1.3:rc1:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:2.1:-:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:2.5:-:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:0.6.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:0.71:-:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:1.2.2:*:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:1.3.1:*:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:1.5:*:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:1.5.1:*:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:1.5.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:2.0.10:rc1:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:2.0.10:rc2:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:2.5.1:*:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:2.6:-:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:2.6.1:-:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:2.6.2:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    wordpress wordpress 0.6.2
    wordpress wordpress 0.6.2 beta_2
    wordpress wordpress 0.6.2.1
    wordpress wordpress 0.6.2.1 beta_2
    wordpress wordpress 0.7
    wordpress wordpress 0.71
    wordpress wordpress 0.71-gold
    wordpress wordpress 0.72
    wordpress wordpress 0.72 beta1
    wordpress wordpress 0.72 beta2
    wordpress wordpress 0.72 rc1
    wordpress wordpress 0.711
    wordpress wordpress 1.0
    wordpress wordpress 1.0-platinum
    wordpress wordpress 1.0.1
    wordpress wordpress 1.0.1-miles
    wordpress wordpress 1.0.2
    wordpress wordpress 1.0.2-blakey
    wordpress wordpress 1.2
    wordpress wordpress 1.2 beta
    wordpress wordpress 1.2-delta
    wordpress wordpress 1.2-mingus
    wordpress wordpress 1.2.1
    wordpress wordpress 1.2.2
    wordpress wordpress 1.3.1
    wordpress wordpress 1.4
    wordpress wordpress 1.5
    wordpress wordpress 1.5-strayhorn
    wordpress wordpress 1.5.1
    wordpress wordpress 1.5.1.1
    wordpress wordpress 1.5.1.2
    wordpress wordpress 1.5.1.3
    wordpress wordpress 1.5.2
    wordpress wordpress 1.6
    wordpress wordpress 2.0
    wordpress wordpress 2.0.1
    wordpress wordpress 2.0.2
    wordpress wordpress 2.0.3
    wordpress wordpress 2.0.4
    wordpress wordpress 2.0.5
    wordpress wordpress 2.0.6
    wordpress wordpress 2.0.7
    wordpress wordpress 2.0.8
    wordpress wordpress 2.0.9
    wordpress wordpress 2.0.10
    wordpress wordpress 2.0.10_rc1
    wordpress wordpress 2.0.10_rc2
    wordpress wordpress 2.0.11
    wordpress wordpress 2.1
    wordpress wordpress 2.1 alpha_3
    wordpress wordpress 2.1.1
    wordpress wordpress 2.1.2
    wordpress wordpress 2.1.3
    wordpress wordpress 2.1.3_rc1
    wordpress wordpress 2.1.3_rc2
    wordpress wordpress 2.2
    wordpress wordpress 2.2.0
    wordpress wordpress 2.2.1
    wordpress wordpress 2.2.2
    wordpress wordpress 2.2.3
    wordpress wordpress 2.2_revision5002
    wordpress wordpress 2.2_revision5003
    wordpress wordpress 2.3
    wordpress wordpress 2.3 beta3
    wordpress wordpress 2.3 rc1
    wordpress wordpress 2.3.1
    wordpress wordpress 2.3.1 rc1
    wordpress wordpress 2.3.2
    wordpress wordpress 2.3.3
    wordpress wordpress 2.5
    wordpress wordpress 2.5.1
    wordpress wordpress 2.6
    wordpress wordpress 2.6.1
    wordpress wordpress *
    wordpress wordpress 0.7
    wordpress wordpress 1.2
    wordpress wordpress 1.2.1
    wordpress wordpress 1.5.1.2
    wordpress wordpress 1.5.2
    wordpress wordpress 2.0.1
    wordpress wordpress 2.0.2
    wordpress wordpress 2.0.3
    wordpress wordpress 2.0.5
    wordpress wordpress 2.0.6
    wordpress wordpress 2.1.2
    wordpress wordpress 2.1.3
    wordpress wordpress 2.2
    wordpress wordpress 2.2.1
    wordpress wordpress 2.3
    wordpress wordpress 2.0.11
    wordpress wordpress 2.3.2
    wordpress wordpress 2.3.3
    wordpress wordpress 2.3.1
    wordpress wordpress 2.2.3
    wordpress wordpress 2.2.2
    wordpress wordpress 2.0.10
    wordpress wordpress 2.0.7
    wordpress wordpress 2.0.4
    wordpress wordpress 2.0
    wordpress wordpress 2.1.3 rc2
    wordpress wordpress 2.1.3 rc1
    wordpress wordpress 2.1
    wordpress wordpress 2.5
    wordpress wordpress 0.6.2.1
    wordpress wordpress 0.71
    wordpress wordpress 1.2.2
    wordpress wordpress 1.3.1
    wordpress wordpress 1.5
    wordpress wordpress 1.5.1
    wordpress wordpress 1.5.1.1
    wordpress wordpress 2.0.10 rc1
    wordpress wordpress 2.0.10 rc2
    wordpress wordpress 2.5.1
    wordpress wordpress 2.6
    wordpress wordpress 2.6.1
    wordpress wordpress 2.6.2