CVE-2007-4153

Name of the Vulnerable Software and Affected Versions WordPress version 2.2.1

Description The issue allows remote authenticated administrators to inject arbitrary web script or HTML, potentially leading to cross-site scripting (XSS) attacks. This can be achieved through the Options Database Table in the Admin Panel, accessed via the options.php endpoint, or through the opml url parameter to the link-import.php endpoint. It is noted that this might not cross privilege boundaries in some configurations, given the Administrator role's unfiltered html capability.

Recommendations For WordPress version 2.2.1, update to a newer version that contains a fix for this issue to prevent arbitrary web script or HTML injection. As a temporary workaround, consider restricting access to the options.php and link-import.php endpoints to minimize the risk of exploitation. Additionally, avoid using the opml url parameter in the link-import.php endpoint until the issue is resolved.