WordPress.org

Make WordPress Core

Opened 3 years ago

Closed 3 years ago

#16997 closed defect (bug) (invalid)

XSS bug(QuickPress title)

Reported by: apr_inoue Owned by: apr_inoue
Milestone: Priority: normal
Severity: normal Version: 3.1
Component: General Keywords:
Focuses: Cc:

Description

I found XSS bug QuickPress Title on dashboard.

WordPress version: 3.0.5(Japanese), 3.1(English) and 3.1(Japanese)

Change History (3)

comment:1 dd323 years ago

I'd just like to direct you to our published guidelines on how to report security issues: http://codex.wordpress.org/Reporting_Bugs#Reporting_security_issues

If you could send an email through to security at wordpress.org with the exact details, we can investigate the claims.

However, I'd like to mention that it's by design that users (with the unfiltered_html capability) can by default include HTML in their post titles.

comment:2 apr_inoue3 years ago

  • Owner set to apr_inoue
  • Status changed from new to reviewing

I send an email.
Thanks.

comment:3 nacin3 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Status changed from reviewing to closed
Note: See TracTickets for help on using tickets.