XSS Vulnerability pada WordPress 3.2.1

Jika anda menggunakan WordPress dengan beberapa user atau membuka fasilitas registrasi user, maka mohon perhatikan artikel ini. Ada lubang keamanan di WordPress versi 3.2.1 yang memungkinkan pengguna menyisipkan kode XSS ke blog kita. Paling sederhana dia bisa memunculkan sebuah alert di halaman depan, halaman artikel dan halaman category atau archive dimana artikelnya muncul.

Modusnya cukup simple, di awal dia menulis artikel seperti biasa. Setelah anda approve dan artikelnya muncul, maka dia bisa edit artikel itu dan menyisipkan kode javascript. Kodenya bisa macam-macam dong, yang paham soal javascript pasti paham deh hehehe..

Untuk mengatasinya, maka sementara anda edit file post-template.php yang ada di folder wp-include. Ada 3 tempat yang harus dirubah

Vulnerable Code Patch Part 1

function the_title($before = '', $after = '', $echo = true) {
	$title = get_the_title();

	if ( strlen($title) == 0 )

	$title = $before . $title . $after;

	if ( $echo )
		echo htmlentities($title); /* Line No 52 Patch*/
		return htmlentities($title); /* Line No 54 Patch*/

Vulnerable Code Patch Part 2

function the_title_attribute( $args = '' ) {
	$title = get_the_title();

	if ( strlen($title) == 0 )

	$defaults = array('before' => '', 'after' =>  '', 'echo' => true);
	$r = wp_parse_args($args, $defaults);
	extract( $r, EXTR_SKIP );

	$title = $before . $title . $after;
	$title = esc_attr(strip_tags($title));

	if ( $echo )
		echo htmlentities($title) ;/* Line No 87 Patch here By adding htmlentities*/
		return htmlentities($title); /* Line No 89 Patch*/

Vulnerable Code Patch Part 3

function get_the_title( $id = 0 ) {
	$post = &get_post($id);

	$title = isset($post->post_title) ? $post->post_title : '';
	$id = isset($post->ID) ? $post->ID : (int) $id;

	if ( !is_admin() ) {
		if ( !empty($post->post_password) ) {
			$protected_title_format = apply_filters('protected_title_format', __('Protected: %s'));
			$title = sprintf($protected_title_format, $title);
		} else if ( isset($post->post_status) && 'private' == $post->post_status ) {
			$private_title_format = apply_filters('private_title_format', __('Private: %s'));
			$title = sprintf($private_title_format, $title);
	return htmlentities(apply_filters( 'the_title', $title, $id )); /* Line No 119 Patch*/

Kalau bingung anda bisa ambil keseluruhan kode untuk file post-template.php ini disini. Mudah-mudahan cukup membantu dan mudah-mudahan segera ada update dari Pemberitahuan sudah dikirimkan kok πŸ™‚

Credit for: Darshit Ashara

By Lutvi

Bukan Ustadz, bukan Dai apalagi Kyai. Juga bukan guru. Hanya sekedar santri miskin ilmu yang coba mengamalkan 1 ayat warisan dari para ulama. Saat ini diamanahi menjadi admin web WordPress Indonesia

20 replies on “XSS Vulnerability pada WordPress 3.2.1”

I just want to say I’m beginner to weblog and certainly liked this blog site. Probably I’m planning to bookmark your blog . You surely come with impressive writings. Thank you for revealing your webpage.

I like the helpful information you provide in your articles. I’ll bookmark your weblog and check again here frequently. I’m quite sure I will learn lots of new stuff right here! Good luck for the next!

Definitely believe that which you stated. Your favorite reason appeared to be on the net the easiest thing to be aware of. I say to you, I certainly get annoyed while people think about worries that they plainly don’t know about. You managed to hit the nail upon the top and defined out the whole thing without having side-effects , people could take a signal. Will probably be back to get more. Thanks

What i do not understood is actually how you’re not actually much more well-liked than you may be now. You are very intelligent. You realize thus considerably relating to this subject, made me personally consider it from a lot of varied angles. Its like men and women aren’t fascinated unless it’s one thing to do with Lady gaga! Your own stuffs great. Always maintain it up!

Fantastic beat ! I would like to apprentice while you amend your site, how could i subscribe for a blog web site? The account aided me a acceptable deal. I had been tiny bit acquainted of this your broadcast provided bright clear idea

Comments are closed.