CVE-2007-1622 Information

Description

Cross-site scripting (XSS) vulnerability in wp-admin/vars.php in WordPress before 2.0.10 RC2 and before 2.1.3 RC2 in the 2.1 series allows remote authenticated users with theme privileges to inject arbitrary web script or HTML via the PATH_INFO in the administration interface related to loose regular expression processing of PHP_SELF.

Reference

http://secunia.com/advisories/24567 http://secunia.com/advisories/25108 http://sla.ckers.org/forum/read.php?27935msg-8006 http://www.buayacorp.com/files/wordpress/wordpress-advisory.txt http://www.debian.org/security/2007/dsa-1285 http://www.securityfocus.com/bid/23027 http://www.vupen.com/english/advisories/2007/1005