A few weeks ago I rushed out an update to fix a potentially dangerous Cross-Site Scripting (XSS) vulnerability in WP-Cumulus. With the PHP part of the plugin shielded from ‘outside use’, I was hoping no more issues would pop up. Still, I’m glad MustLive alerted me to another issue that uses the Flash movie itself. The exploit worked by calling the SWF file directly, and supplying link with javascript. I’m not quite sure how dangerous this is, but I’ve modified the movie so it only executes regular links.

Please update your copy of WP-Cumulus to 1.23 asap. For most users it should only take two clicks.

The should not affect how WP-Cumulus works on WordPress blogs. But there have been a number of ports and other projects that use the Flash movie. I urge the authors of those projects to examine the new Flash movie, and see if it still works in/with their product. The exploit is not unique to WordPress, and they may need to modify the security check to fit their project.

Yesterday, Thomas Scholz alerted me to a security weakness in WP-Cumulus. He noticed XSS hacking attempts targeted at wp-cumulus.php that could, in rare cases allow malicious code to be executed. This issue has been fixed in version 1.22, and I strongly recommend you upgrade straight away. It’s better to be safe than sorry, and the attack has already been seen ‘in the wild’.

WP-Cumulus can be downloaded here, but chances are your blog will notify you of the new version and allow you to upgrade automatically.