The researchers said in a blog post that the flaw can be triggered by posting a specially crafted comment to a WordPress blog that is vulnerable.
“Step 1: Post a comment to the target website. Step 2: Replace the value of author tag, email tag, comment tag with the exact value of what has been post[ed] in the last comment. Change the value of comment_post_ID to the value of post (which can be known by opening that post and checking the value of p parameter in the url)”, they explained in their blog.
For the next step, the researchers advise the would-be hacker to publish an html file, which they provide in the blog post, on the web server and access it. “Click on ‘Click Me’ button. This will try to post the comment to WordPress, which will flag this comment as duplicate comment with the 500 Internal server error response.” Then, the XSS payload gets executed, they related.
Researcher Ryan Dewhurst wrote in his blog that he was having trouble duplicating the results. “I contacted the researchers over Twitter and told them that I was unable to reproduce the vulnerability in any browser or on any WordPress installation including vanilla installs. The researchers got back in touch with a link to a WordPress installation on which the vulnerability worked. The URL they gave me was an IP address. Within their environment the XSS worked.”
Dewhurst added that the recently updated version, WordPress 3.3.1, fixes the vulnerability.