CVE-2004-1559

Vulnerability

WordPress 1.2 is vulnerable to multiple cross-site scripting (XSS) attacks in its administration panel. The vulnerable parameters include redirect_to, text, popupurl, and popuptitle in wp-login.php; redirect_url in admin-header.php; popuptitle, popupurl, content, and post_title in bookmarklet.php; cat_ID in categories.php; s in edit.php; and s and mode in edit-comments.php. These parameters are not properly sanitized before being reflected in the response, allowing injection of arbitrary HTML and JavaScript [1].

Exploitation

An attacker must trick an authenticated WordPress administrator into clicking a crafted link or visiting a malicious page. The attacker crafts a URL containing the XSS payload in one of the vulnerable parameters and sends it to the victim (e.g., via email or a forum post). When the victim, logged into the WordPress admin panel, clicks the link, the injected script executes in the context of the admin session [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser. This can lead to session cookie theft, enabling the attacker to impersonate the administrator, perform administrative actions (e.g., create new admin accounts, modify content, install plugins), or deface the site. The attacker gains the same privileges as the victim administrator [1].

Mitigation

At the time of disclosure (September 2004), no official fix was available. The reference states that the vendor was contacted but no response was received [1]. Users of WordPress 1.2 should upgrade to a later version (e.g., 1.2.1 or higher) that includes proper input sanitization. As a workaround, administrators can avoid clicking untrusted links while logged into the admin panel, but this is not a complete solution.