As I just read over at heise.de Security(german), a good collection for Security News, a Cross Site Scripting(XSS) hole exist in many templates for WordPress. Affected templates are such popular ones as k2 as well as the classic one.
The problem occurs for many templates which use custom 404 Error pages. Most of these templates which use Error pages, don’t check the variable $_SERVER['PHP_SELF'] for html special chars. Therefore you can perform XSS attacks.
To see if your template is also affected visit this URL
Check searchform.php and sidebar.php for:
action=”< ?php echo $_SERVER['PHP_SELF']; >”
Replace it with:
action=”< ?php echo htmlspecialchars($_SERVER['PHP_SELF']); ?>”
The original Bug report was posted at Bugtraq
Tags: Template, Theme, Wordpress, XSS