An input validation flaw in WordPress has me wondering about switching platforms. It’s not the flaw itself, but the lack of notification that’s getting me.

The variable handling XSS vulnerability was reported over the weekend.

PHP_SELF variable is not properly sanitized before output and it can be used to conduct an XSS attack over the WordPress’s CSRF protection.

[…]

A successful attack would require that the logged user has write capabilities over theme files, also the attacker must know the current theme of the target site.

Here’s the supposed timeline

03/08/2007 – Bug found
03/15/2007 – Vendor contact
03/16/2007 – WordPress 2.0.10-RC2 and 2.1.3-RC2 releases

But if you look at the current upgrade page, there’s no mention of the flaw or release candidates.

The latest version, WordPress Version 2.1.2 (http://wordpress.org/development/2007/03/upgrade-212/), was released to the public on March 2, 2007.

I can certainly understand if they are hesitant to pre-announce a stable build, but a little acknowledgment/warning of the problem would be nice for those of us who would like to see an authoritative response rather than just the chatter.

UPDATE (20 Mar 2007): The attack discussion thread continues and some clever ducky has just posted a fine XSS exploit. I tested it a minute ago and it definitely works on the stable release. I still do not see any alert on the official WordPress site. Hello? Hello?