XSS flaw in WordPress 3.3 – How the smallest things make testing tough


WordPress logoA pair of Indian researchers disclosed a new cross-site scripting (XSS) vulnerability in WordPress 3.3 on Monday.

Another researcher who goes by the name of ethicalhack3r decided to try to replicate their findings using the proof of concept (PoC) code that was posted to pastebin.com.

He couldn’t seem to make it work, so he contacted the original team and explained the trouble he was having and they also had trouble reproducing the problem outside of the one instance they had developed it on.

It turned out to be related to whether a WordPress instance was installed from an IP address ( or using a domain name (http://example.org/wp-admin).

These are the types of problems that keep software QA engineers awake at night.

Who would expect to need to create test cases for whether the initial install was done with an IP versus a name???

Ethicalhack3rEthicalhack3r posted a one line code change that prevents the exploitation, but true to their normal response, WordPress have already patched the bug and released 3.3.1.

If you run your own WordPress site and used an IP address to set it up, I would update to 3.3.1 as soon as possible.

While most WordPress bloggers won’t be at risk from this flaw, why take a chance? WordPress fixed it in 24 hours, why not see if you can patch it in even less?