CVE-2009-3891
Description
Cross-site scripting (XSS) vulnerability in wp-admin/press-this.php in WordPress before 2.8.6 allows remote authenticated users to inject arbitrary web script or HTML via the s parameter (aka the selection variable).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
XSS vulnerability in WordPress Press This feature allows authenticated users with posting privileges to inject arbitrary web script via the s parameter.
Vulnerability
The cross-site scripting (XSS) vulnerability exists in wp-admin/press-this.php in WordPress versions before 2.8.6. The bug is triggered via the s parameter (the selection variable) which is not properly sanitized, allowing injection of arbitrary web script or HTML [3][4]. This affects sites running WordPress 2.8.5 and earlier.
Exploitation
An attacker must be a registered, logged-in user with posting privileges (e.g., an author or editor). By crafting a malicious s parameter in a URL to the Press This feature (press-this.php), the attacker can inject JavaScript that will execute in the context of the WordPress admin area [4].
Impact
Successful exploitation allows the attacker to perform actions such as stealing session cookies, defacing pages, or performing administrative actions on behalf of the victim user. The attack is confined to the WordPress admin interface and requires an authenticated user [4].
Mitigation
WordPress fixed this vulnerability in version 2.8.6, released on November 12, 2009 [4]. Users should upgrade to WordPress 2.8.6 or later. There is no known workaround for older versions.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*range: <=2.8.5
- (no CPE)range: <2.8.6
Patches
115c978cd09d9Prevent XSS in press-this.php. props Benjamin Flesch. fixes #11119 for 2.8.x
1 file changed · +5 −5
wp-admin/press-this.php+5 −5 modified@@ -91,8 +91,8 @@ function press_it() { } // Set Variables -$title = isset($_GET['t']) ? esc_html(aposfix(stripslashes($_GET['t']))) : ''; -$selection = isset($_GET['s']) ? trim( aposfix( stripslashes($_GET['s']) ) ) : ''; +$title = isset( $_GET['t'] ) ? trim( strip_tags( aposfix( stripslashes( $_GET['t'] ) ) ) ) : ''; +$selection = isset( $_GET['s'] ) ? trim( htmlspecialchars( html_entity_decode( aposfix( stripslashes( $_GET['s'] ) ) ) ) ) : ''; if ( ! empty($selection) ) { $selection = preg_replace('/(\r?\n|\r)/', '</p><p>', $selection); $selection = '<p>'.str_replace('<p></p>', '', $selection).'</p>'; @@ -117,7 +117,7 @@ function press_it() { <div class="postbox"> <h2><label for="embed-code"><?php _e('Embed Code') ?></label></h2> <div class="inside"> - <textarea name="embed-code" id="embed-code" rows="8" cols="40"><?php echo format_to_edit($selection, true); ?></textarea> + <textarea name="embed-code" id="embed-code" rows="8" cols="40"><?php echo wp_htmledit_pre( $selection ); ?></textarea> <p id="options"><a href="#" class="select button"><?php _e('Insert Video'); ?></a> <a href="#" class="close button"><?php _e('Cancel'); ?></a></p> </div> </div> @@ -548,8 +548,8 @@ function show(tab_name) { <div id="quicktags"></div> <div class="editor-container"> <textarea name="content" id="content" style="width:100%;" class="mceEditor" rows="15"> - <?php if ($selection) echo wp_richedit_pre(htmlspecialchars_decode($selection)); ?> - <?php if ($url) { echo '<p>'; if($selection) _e('via '); echo "<a href='$url'>$title</a>."; echo '</p>'; } ?> + <?php if ($selection) echo wp_richedit_pre( $selection ); ?> + <?php if ($url) { echo '<p>'; if($selection) _e('via '); printf( "<a href='%s'>%s</a>.", esc_url( $url ), esc_html( $title ) ); echo '</p>'; } ?> </textarea> </div> </div>
Vulnerability mechanics
Root cause
"Missing output encoding of the user-supplied 's' GET parameter before it is echoed into the HTML page in press-this.php."
Attack vector
An authenticated attacker can inject arbitrary web script or HTML by crafting a malicious `s` query parameter in the URL to `wp-admin/press-this.php`. Because the input was not neutralized before being placed into the page output, the attacker's payload executes in the context of the victim's browser session. The attack requires the victim to be authenticated in WordPress and to visit the crafted URL. This is a classic stored/reflected cross-site scripting flaw [CWE-79].
Affected code
The vulnerability is in `wp-admin/press-this.php`. The `$selection` variable, derived from the `s` GET parameter, was assigned using only `trim( aposfix( stripslashes( $_GET['s'] ) ) )` without any HTML sanitization. This unsanitized value was then output directly into the page via `format_to_edit($selection, true)` inside a `
What the fix does
The patch applies `htmlspecialchars( html_entity_decode( ... ) )` to the `$selection` variable, which encodes HTML special characters so they are rendered as text rather than executed as markup. It also replaces `format_to_edit($selection, true)` with `wp_htmledit_pre( $selection )` for the embed-code textarea, and uses `wp_richedit_pre( $selection )` (instead of `wp_richedit_pre(htmlspecialchars_decode($selection))`) for the content textarea, ensuring the value is safely escaped for the editor context. Additionally, the `$title` variable is now sanitized with `strip_tags()` and output is escaped via `esc_html()`, and the `$url` is passed through `esc_url()` before being placed in an `href` attribute [patch_id=1995856].
Preconditions
- authAttacker must be an authenticated user of the WordPress instance.
- inputVictim must visit a crafted URL containing a malicious 's' parameter to wp-admin/press-this.php.
Generated on May 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- core.trac.wordpress.org/attachment/ticket/11119/press-this-xss-bug-11-10-2009.patchnvdPatchVendor Advisory
- core.trac.wordpress.org/attachment/ticket/11119/press-this.002.diffnvdPatchVendor Advisory
- wordpress.org/development/2009/11/wordpress-2-8-6-security-release/nvdPatchVendor Advisory
- core.trac.wordpress.org/ticket/11119nvdVendor Advisory
- secunia.com/advisories/37332nvdThird Party Advisory
- www.openwall.com/lists/oss-security/2009/11/15/2nvdMailing ListThird Party Advisory
- www.openwall.com/lists/oss-security/2009/11/15/3nvdMailing ListThird Party Advisory
- www.openwall.com/lists/oss-security/2009/11/16/1nvdMailing ListThird Party Advisory
- www.osvdb.org/59959nvdBroken Link
News mentions
0No linked articles in our index yet.