CVE-2008-5278

Name of the Vulnerable Software and Affected Versions WordPress versions prior to 2.6.5

Description A cross-site scripting (XSS) issue exists due to the self link function in the RSS Feed Generator. This allows remote attackers to inject arbitrary web script or HTML via the HTTP HOST variable in the Host header.

Recommendations For versions prior to 2.6.5, update to version 2.6.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the RSS Feed Generator until a patch is applied. Avoid using the HTTP HOST variable in the affected API endpoint until the issue is resolved.