VYPR
← All advisories
Unrated severityNVD Advisory· Published Nov 28, 2008· Updated Apr 23, 2026

CVE-2008-5278

CVE-2008-5278

Description

Cross-site scripting (XSS) vulnerability in the self_link function in in the RSS Feed Generator (wp-includes/feed.php) for WordPress before 2.6.5 allows remote attackers to inject arbitrary web script or HTML via the Host header (HTTP_HOST variable).

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

WordPress before 2.6.5 has an XSS vulnerability in the RSS feed generator via the Host header, allowing arbitrary script injection.

Vulnerability

A cross-site scripting (XSS) vulnerability exists in the self_link function within wp-includes/feed.php of WordPress versions prior to 2.6.5. The issue arises because the function uses the HTTP_HOST variable from the request header without proper sanitization, enabling an attacker to inject arbitrary web script or HTML. This vulnerability specifically affects IP-based virtual servers running on Apache 2.x [1].

Exploitation

An attacker can exploit this vulnerability by sending a crafted HTTP request with a malicious Host header to a vulnerable WordPress installation. No authentication or user interaction is required beyond the attacker controlling the Host header. The malicious payload is then executed when the RSS feed is accessed by a victim, typically in the context of the vulnerable site.

Impact

Successful exploitation allows remote attackers to inject arbitrary web script or HTML into the RSS feed output. This can lead to classic XSS attacks, such as session theft, credential harvesting, or defacement, affecting any user who views the compromised feed.

Mitigation

WordPress 2.6.5, released on November 25, 2008, fixes this vulnerability. Users should upgrade to this version immediately. Alternatively, administrators can apply the individual security fix by replacing the wp-includes/feed.php and wp-includes/version.php files from the 2.6.5 release package. No workarounds exist besides upgrading or patching [1].

References
  1. WordPress 2.6.5 – WordPress News

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

75
  • WordPress/WordPress75 versions
    cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*+ 74 more
    • cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*range: <=2.6.3
    • cpe:2.3:a:wordpress:wordpress:0.6.2:*:*:*:*:*:*:*
    • cpe:2.3:a:wordpress:wordpress:0.6.2.1:*:*:*:*:*:*:*
    • cpe:2.3:a:wordpress:wordpress:0.6.2.1:beta_2:*:*:*:*:*:*
    • cpe:2.3:a:wordpress:wordpress:0.6.2:beta_2:*:*:*:*:*:*
    • cpe:2.3:a:wordpress:wordpress:0.7:*:*:*:*:*:*:*
    • cpe:2.3:a:wordpress:wordpress:0.71:*:*:*:*:*:*:*
    • cpe:2.3:a:wordpress:wordpress:0.711:*:*:*:*:*:*:*
    • cpe:2.3:a:wordpress:wordpress:0.71-gold:*:*:*:*:*:*:*
    • cpe:2.3:a:wordpress:wordpress:0.72:*:*:*:*:*:*:*
    • cpe:2.3:a:wordpress:wordpress:0.72:beta1:*:*:*:*:*:*
    • cpe:2.3:a:wordpress:wordpress:0.72:beta2:*:*:*:*:*:*
    • cpe:2.3:a:wordpress:wordpress:0.72:rc1:*:*:*:*:*:*
    • cpe:2.3:a:wordpress:wordpress:1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:wordpress:wordpress:1.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:wordpress:wordpress:1.0.1-miles:*:*:*:*:*:*:*
    • cpe:2.3:a:wordpress:wordpress:1.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:wordpress:wordpress:1.0.2-blakey:*:*:*:*:*:*:*
    • cpe:2.3:a:wordpress:wordpress:1.0-platinum:*:*:*:*:*:*:*
    • cpe:2.3:a:wordpress:wordpress:1.2:*:*:*:*:*:*:*
    • cpe:2.3:a:wordpress:wordpress:1.2.1:*:*:*:*:*:*:*
    • cpe:2.3:a:wordpress:wordpress:1.2.2:*:*:*:*:*:*:*
    • cpe:2.3:a:wordpress:wordpress:1.2:beta:*:*:*:*:*:*
    • cpe:2.3:a:wordpress:wordpress:1.2-delta:*:*:*:*:*:*:*
    • cpe:2.3:a:wordpress:wordpress:1.2-mingus:*:*:*:*:*:*:*
    • cpe:2.3:a:wordpress:wordpress:1.3.1:*:*:*:*:*:*:*
    • cpe:2.3:a:wordpress:wordpress:1.4:*:*:*:*:*:*:*
    • cpe:2.3:a:wordpress:wordpress:1.5:*:*:*:*:*:*:*
    • cpe:2.3:a:wordpress:wordpress:1.5.1:*:*:*:*:*:*:*
    • cpe:2.3:a:wordpress:wordpress:1.5.1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:wordpress:wordpress:1.5.1.2:*:*:*:*:*:*:*
    • cpe:2.3:a:wordpress:wordpress:1.5.1.3:*:*:*:*:*:*:*
    • cpe:2.3:a:wordpress:wordpress:1.5.2:*:*:*:*:*:*:*
    • cpe:2.3:a:wordpress:wordpress:1.5-strayhorn:*:*:*:*:*:*:*
    • cpe:2.3:a:wordpress:wordpress:1.6:*:*:*:*:*:*:*
    • cpe:2.3:a:wordpress:wordpress:2.0:*:*:*:*:*:*:*
    • cpe:2.3:a:wordpress:wordpress:2.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:wordpress:wordpress:2.0.10:*:*:*:*:*:*:*
    • cpe:2.3:a:wordpress:wordpress:2.0.10_rc1:*:*:*:*:*:*:*
    • cpe:2.3:a:wordpress:wordpress:2.0.10_rc2:*:*:*:*:*:*:*
    • cpe:2.3:a:wordpress:wordpress:2.0.11:*:*:*:*:*:*:*
    • cpe:2.3:a:wordpress:wordpress:2.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:wordpress:wordpress:2.0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:wordpress:wordpress:2.0.4:*:*:*:*:*:*:*
    • cpe:2.3:a:wordpress:wordpress:2.0.5:*:*:*:*:*:*:*
    • cpe:2.3:a:wordpress:wordpress:2.0.6:*:*:*:*:*:*:*
    • cpe:2.3:a:wordpress:wordpress:2.0.7:*:*:*:*:*:*:*
    • cpe:2.3:a:wordpress:wordpress:2.0.8:*:*:*:*:*:*:*
    • cpe:2.3:a:wordpress:wordpress:2.0.9:*:*:*:*:*:*:*
    • cpe:2.3:a:wordpress:wordpress:2.1:*:*:*:*:*:*:*
    • cpe:2.3:a:wordpress:wordpress:2.1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:wordpress:wordpress:2.1.2:*:*:*:*:*:*:*
    • cpe:2.3:a:wordpress:wordpress:2.1.3:*:*:*:*:*:*:*
    • cpe:2.3:a:wordpress:wordpress:2.1.3_rc1:*:*:*:*:*:*:*
    • cpe:2.3:a:wordpress:wordpress:2.1.3_rc2:*:*:*:*:*:*:*
    • cpe:2.3:a:wordpress:wordpress:2.1:alpha_3:*:*:*:*:*:*
    • cpe:2.3:a:wordpress:wordpress:2.2:*:*:*:*:*:*:*
    • cpe:2.3:a:wordpress:wordpress:2.2.0:*:*:*:*:*:*:*
    • cpe:2.3:a:wordpress:wordpress:2.2.1:*:*:*:*:*:*:*
    • cpe:2.3:a:wordpress:wordpress:2.2.2:*:*:*:*:*:*:*
    • cpe:2.3:a:wordpress:wordpress:2.2.3:*:*:*:*:*:*:*
    • cpe:2.3:a:wordpress:wordpress:2.2_revision5002:*:*:*:*:*:*:*
    • cpe:2.3:a:wordpress:wordpress:2.2_revision5003:*:*:*:*:*:*:*
    • cpe:2.3:a:wordpress:wordpress:2.3:*:*:*:*:*:*:*
    • cpe:2.3:a:wordpress:wordpress:2.3.1:*:*:*:*:*:*:*
    • cpe:2.3:a:wordpress:wordpress:2.3.1:rc1:*:*:*:*:*:*
    • cpe:2.3:a:wordpress:wordpress:2.3.2:*:*:*:*:*:*:*
    • cpe:2.3:a:wordpress:wordpress:2.3.3:*:*:*:*:*:*:*
    • cpe:2.3:a:wordpress:wordpress:2.3:beta3:*:*:*:*:*:*
    • cpe:2.3:a:wordpress:wordpress:2.3:rc1:*:*:*:*:*:*
    • cpe:2.3:a:wordpress:wordpress:2.5:*:*:*:*:*:*:*
    • cpe:2.3:a:wordpress:wordpress:2.5.1:*:*:*:*:*:*:*
    • cpe:2.3:a:wordpress:wordpress:2.6:*:*:*:*:*:*:*
    • cpe:2.3:a:wordpress:wordpress:2.6.1:*:*:*:*:*:*:*
    • (no CPE)range: < 2.6.5
    Package: https://wordpress.org/plugins/wordpress

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

10

News mentions

0

No linked articles in our index yet.