Just recently, WordPress released 2.8.6 with a critical security update that patches a cross-site scripting vulnerability found by Benjamin Flesch. That’s right, the same kid who discovered a way to patch your WordPress blog by exploiting a similar XSS vulnerability has found another.
Cross-site scripting
When I started working more with web application security, I was amazed at the amount of web developers who are unaware of all the possible entry points the applications they develop have. Of these vulnerabilities, cross-site scripting (or XSS) still leads the pack according to WhiteHat Security.
A cross-site scripting vulnerability takes place when an attacker injects a client-side script into a web page. This attack can be used to bypass access controls, steal cookies, and hijack an active session to steal sensitive information.
