CVE-2007-1049

Name of the Vulnerable Software and Affected Versions: WordPress versions 2.0 through 2.0.8 WordPress versions 2.1 through 2.1.0

Description: A cross-site scripting (XSS) issue exists in the wp explain nonce function within the nonce AYS functionality, located in wp-includes/functions.php. This allows remote attackers to inject arbitrary web script or HTML via the file parameter to "wp-admin/templates.php", and possibly other vectors involving the action variable.

Recommendations: For WordPress versions 2.0 through 2.0.8, update to version 2.0.9 or later. For WordPress versions 2.1 through 2.1.0, update to version 2.1.1 or later.