CVE-2008-5278

WordPress <2.6.5 - XSS

Title source: llm

Description

Cross-site scripting (XSS) vulnerability in the self_link function in in the RSS Feed Generator (wp-includes/feed.php) for WordPress before 2.6.5 allows remote attackers to inject arbitrary web script or HTML via the Host header (HTTP_HOST variable).

References (10)

[Third Party Advisory, VDB Entry] http://osvdb.org/50214

[Patch, Vendor Advisory] http://wordpress.org/development/2008/11/wordpress-265/

[Exploit] http://www.securityfocus.com/archive/1/498652

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/46882

[Vendor Advisory] https://www.redhat.com/archives/fedora-package-announce/2008-December/msg00000.html

[Vendor Advisory] https://www.redhat.com/archives/fedora-package-announce/2008-December/msg00176.html

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/32476

[Third Party Advisory] http://secunia.com/advisories/32882

[Third Party Advisory] http://secunia.com/advisories/32966

[Third Party Advisory] http://securityreason.com/securityalert/4662

Scores

EPSS 0.0316

EPSS Percentile 86.7%

Classification

CWE

CWE-79

Status published

Affected Products (50)

wordpress/wordpress < 2.6.3

wordpress/wordpress

wordpress/wordpress

wordpress/wordpress

wordpress/wordpress

wordpress/wordpress

wordpress/wordpress

wordpress/wordpress

wordpress/wordpress

wordpress/wordpress

wordpress/wordpress

wordpress/wordpress

wordpress/wordpress

wordpress/wordpress

wordpress/wordpress

... and 35 more

Timeline

Published Nov 28, 2008

Tracked Since Feb 18, 2026