A XSS vulnerability has been in found in wp-admin/template.php which could allow malicious web users to inject arbitary web scripts or HTML code through the file parameter.

This exploit could allow remote attackers to do nasty things by injecting php or html codes into your wordpress core files.

Vulnerable versions of Wordpress:

• Wordpress (B2) 0.6.2 .1
• Wordpress (B2) 0.6.2
• WordPress 2.0.5
• WordPress 2.0.4
• WordPress 2.0.3
• WordPress 2.0.2
• WordPress 2.0.1
• WordPress 2.0
• WordPress 1.5.2
• WordPress 1.5.1 .3
• WordPress 1.5.1 .2
• WordPress 1.5.1
• WordPress 1.5
• WordPress 1.2.2
• WordPress 1.2.1
• WordPress 1.2
• WordPress 0.71
• WordPress 0.7

Only the latest WordPress WordPress 2.0.6 is not vulnerable to this.

To go about patching the vulnerability, you will need to download the patched templates.php and then replace it with your exiting wp-admin/templates.php file.

To learn more about this vulnerability, visit Operation N or Security Focus.
Report via Tech-Buzz.