CVE-2008-1304

Name of the Vulnerable Software and Affected Versions WordPress version 2.3.2

Description The issue allows remote attackers to inject arbitrary web script or HTML. This can be achieved via the inviteemail parameter in an invite action to "wp-admin/users.php" or the to parameter in a sent action to "wp-admin/invites.php".

Recommendations For WordPress version 2.3.2, update to a newer version to mitigate the risk. As a temporary workaround, consider restricting access to the "wp-admin/users.php" and "wp-admin/invites.php" endpoints until a patch is available. Avoid using the inviteemail and to parameters in the affected API endpoints until the issue is resolved.