Posted by Jouko Pynnonen on Nov 20

OVERVIEW
========

A security flaw in WordPress 3 allows injection of JavaScript into certain
text fields. In particular, the problem affects comment boxes on WordPress
posts and pages. These don’t require authentication by default.

The JavaScript injected into a comment is executed when the target user
views it, either on a blog post, a page, or in the Comments section of the
administrative Dashboard.

In the most obvious scenario the…