Wordpress Vulnerable to Worm
Benjamin Flesch points out seven Wordpress XSS exploits that could be used partially or en totalis to create a 0day Wordpress worm that could:
- Spread automatically around the blogosphere
- Inject a payload into Wordpress
In the blackhat world, the best target would be to find a Wordpress.com XSS exploit. Then you could easily write a script looking for high-PR blogs and inject a hidden link for yourself, probably without too many people noticing. If you were careful and acted slowly you’d have the most powerful Web 2.0 botnet before anyone noticed!
#2 has been shown to be easy. However, none of the exploits seem to offer #1, that is the spread of a true worm. The author’s worm cannot spread unless you follow a complicated self-commenting procedure. So for now at least, there will be no Wordpress 0day firestorm.
