id,summary,reporter,owner,description,type,status,priority,milestone,component,version,severity,resolution,keywords,cc
18250,I/O Sanity Failures in _wp_specialchars(),miqrogroove,,"'''Background'''

While reviewing and re-testing code from #12284 and [17171], I realized we had missed something nearby and in plain sight:

{{{
$string = str_replace( array( '|wp_entity|', '|/wp_entity|' ), array( '&', ';' ), $string );
}}}

This bug was reported to the security group during the 3.2 RC1 development cycle.

A patch was submitted to the security group prior to 3.2 RC1.

Today we agreed to add the patch to a Trac ticket.

I believe this bug affects all versions of WordPress from version 2.8 through 3.2.1.

'''Vulnerability'''

Anonymous users can break comment feed validation by injecting the phrase |wp_entity| into the body of any comment in the feed.

Any other output from _wp_specialchars() would be similarly vulnerable, but the comment feed is the most obvious example.",defect (bug),closed,normal,3.3,Security,2.8,critical,fixed,,