[EN] Wordpress 3.6.1 XSS

"Houston we've got a problem..." ;)

... in latest (3.6.1) Wordpress :

Same story as before but seems to be not patched anyway:

Enjoy, because 'it can not be used' - right? ;)


* Update @ 17/10/2013 *

Check file 'options-discussion.php' in /wp-admin/ directory, for lines 187-202.
You will find there:
---<code>---
   187  <?php
   188  $ratings = array(
   189          /* translators: Content suitability rating: http://bit.ly/89QxZA */
   190          'G' => __('G &#8212; Suitable for all audiences'),
   191          /* translators: Content suitability rating: http://bit.ly/89QxZA */
   192          'PG' => __('PG &#8212; Possibly offensive, usually for audiences 13 and above'),
   193          /* translators: Content suitability rating: http://bit.ly/89QxZA */
   194          'R' => __('R &#8212; Intended for adult audiences above 17'),
   195          /* translators: Content suitability rating: http://bit.ly/89QxZA */
   196          'X' => __('X &#8212; Even more mature than above')
   197  );
   198  foreach ($ratings as $key => $rating) :
   199          $selected = (get_option('avatar_rating') == $key) ? 'checked="checked"' : '';
   200          echo "\n\t<label><input type='radio' name='avatar_rating' value='" . esc_attr($key) . "' $selected/> $rating</label><br />";
   201  endforeach;
   202  ?>


---<code>---

so because there is no any checking if 'rating' is valid or not, we can put in 'avatar_rating'
parameter any JavaScript/HTML code we want. In this case reflected XSS is possible.

To patch this bug, we need to edit wp-includes/pluggable.php file and change line 1662 like below:

Changed pluggable.php file

Simple change this line and add Wordpress's functions 'esc_html'.
Now it should be ok. ;)