Advisory by Jose Carlos Norte Wordpress is vulnerable to XSS attacks when custom 404 pages are used by the template. The problem (sidebar.php): if wordpress template use custom 404 pages, like: Error 404 - Not Found $_SERVER['PHP_SELF']; can contain special characters to break out html and perform XSS attacks, example: http://www.example.com/index.php/"> if no custom 404 page set by wordpress theme this attacks is not posible.