CVE-2007-3238

Name of the Vulnerable Software and Affected Versions: WordPress version 2.2

Description: A cross-site scripting (XSS) issue exists in the default theme's functions.php file, allowing remote authenticated administrators to inject arbitrary web script or HTML via the PATH INFO (REQUEST URI) to "wp-admin/themes.php". This might not cross privilege boundaries in some configurations, since the Administrator role has the unfiltered html capability.

Recommendations: For WordPress version 2.2, update to a newer version to mitigate the risk, as the exact fix version is not specified. As a temporary workaround, consider restricting access to the wp-admin/themes.php endpoint for remote authenticated administrators until a patch is available.