CVE-2010-2002
Description
Cross-site scripting (XSS) vulnerability in the Wordfilter module 5.x before 5.x-1.1 and 6.x before 6.x-1.1 for Drupal allows remote authenticated users, with "administer words filtered" privileges, to inject arbitrary web script or HTML via the word list.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cross-site scripting vulnerability in Drupal Wordfilter module allows authenticated users with 'administer words filtered' permission to inject arbitrary HTML/script via the word list.
Vulnerability
The Wordfilter module for Drupal, versions 5.x before 5.x-1.1 and 6.x before 6.x-1.1, fails to sanitize the list of filtered words and their replacements. This allows a cross-site scripting (XSS) attack via the word list on the administrative interface. The vulnerability is present in the module's admin pages and block display [1].
Exploitation
An attacker must have the "administer words filtered" permission, which is typically granted to trusted site administrators. The attacker can then input arbitrary HTML or JavaScript code into the word list fields. When the list is displayed on admin pages or blocks, the unsanitized input is rendered, executing the injected script in the context of the victim's browser [1].
Impact
Successful exploitation leads to arbitrary script execution in the context of the Drupal site. This can result in full administrative access compromise, as the attacker can steal session cookies, perform actions on behalf of the victim, or deface the site. The vulnerability is rated moderately critical by the Drupal Security Team [1].
Mitigation
The fix is to upgrade to Wordfilter 5.x-1.1 or 6.x-1.1, released on 2010-May-12. These versions wrap the filtered word and replacement word in check_plain to prevent XSS [2][3]. No workaround is available; updating is the recommended solution.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
5cpe:2.3:a:addison_berry:wordfilter:5.x-1.x:dev:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:addison_berry:wordfilter:5.x-1.x:dev:*:*:*:*:*:*
- (no CPE)range: < 5.x-1.1, < 6.x-1.1
cpe:2.3:a:jeff_warrington:wordfilter:5.x-1.0:*:*:*:*:*:*:*+ 2 more
- cpe:2.3:a:jeff_warrington:wordfilter:5.x-1.0:*:*:*:*:*:*:*
- cpe:2.3:a:jeff_warrington:wordfilter:6.x-1.0:*:*:*:*:*:*:*
- cpe:2.3:a:jeff_warrington:wordfilter:6.x-1.x:dev:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- drupal.org/node/796618nvdPatch
- drupal.org/node/796620nvdPatch
- drupal.org/node/797208nvdPatchVendor Advisory
- www.securityfocus.com/bid/40119nvdPatch
- secunia.com/advisories/39811nvdVendor Advisory
News mentions
0No linked articles in our index yet.