Bluetrait

Security vulnerabilities have been found in WordPress that allows users to enter code into the site through certain urls (whose content is not checked).

Examples:
http://[victim]/wp-login.php?redirect_to=[code]
http://[victim]/wp-login.php?mode=bookmarklet&text=[code]
http://[victim]/wp-login.php?mode=bookmarklet&popupurl=[code]
http://[victim]/wp-login.php?mode=bookmarklet&popuptitle=[code]
http://[victim]/admin-header.php?redirect=1&redirect_url=%22;[code]//
http://[victim]/bookmarklet.php?popuptitle=[code]
http://[victim]/bookmarklet.php?popupurl=[code]]
http://[victim]/bookmarklet.php?content=[code]
http://[victim]/bookmarklet.php?post_title=[code]
http://[victim]/categories.php?action=edit&cat_ID=[code]
http://[victim]/edit.php?s=[code]
http://[victim]/edit-comments.php?s=[code]
http://[victim]/edit-comments.php?mode=[code]

XSS (cross-site scripting) holes are common in many php scripts and Wordpress isn't the only effected blogging tool. LiveJournal and Blogger are also vulnerable.

Athlough this is a somewhat large security issue wordpress users shouldn't be too worried, all scripts have bugs.

The Wordpress team are working on a 1.2.1 release to fix these issues. So look out for it.

Related links:
http://wordpress.org/support/4/13818
http://wordpress.org/support/7/13856
http://news.netcraft.com/archives/2004/09/30/security_holes_in_wordpress_blogging_tool.html
http://secunia.com/advisories/12683/