Make WordPress Core

Opened 9 years ago

Closed 9 years ago

Last modified 9 years ago

#19014 closed defect (bug) (invalid)

Titles containing JavaScript execute the JavaScript - XSS risk

Reported by: dbvista Owned by:
Milestone: Priority: normal
Severity: major Version: 3.2.1
Component: General Keywords:
Focuses: Cc:


I created a post with this title:

<script lang="javascript">alert('hacked');</script>

When the article rendered, the alert box rendered too. This means WordPress is vulnerable to JavaScript-based attacks such as cross-site scripting (XSS).

Change History (4)

#1 @dbvista
9 years ago

Here's another great title:

<script language="javascript">document.location='http://www.you-are-hacked.com';</script>

which directs the browser to a malicious site.

#2 @rianjs
9 years ago

Working example:

Direct link to post:

Homepage with the post on it:

Both trigger the JS.

#3 @ryan
9 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Status changed from new to closed

Administrators and Editors have the unfiltered_html capability and are allowed to do this.

#4 @dbvista
9 years ago

Thanks. I re-tried this as an Author and the JavaScript did not execute.

Note: See TracTickets for help on using tickets.