Make WordPress Core

Opened 3 years ago

Closed 3 years ago

Last modified 3 years ago

#22132 closed defect (bug) (invalid)

Malicious script allowed in attachment Title, Caption and Description

Reported by: dglingren Owned by:
Milestone: Priority: normal
Severity: normal Version: 3.4.2
Component: Security Keywords:
Focuses: Cc:


If you enter Javascript in the Title, Alternate Text, Caption and/or Description fields of an attachment the Edit Media and Media Library screens will properly escape and didplay it. However, the Gallery shortcode and the display page reached from the attachment's permalink do not escape these values and the script is executed.

For example, enter this in the Title field:


The double-quote terminates the text field and the script is executed.

Change History (2)

comment:1 @nacin3 years ago

  • Component changed from Media to Security
  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Status changed from new to closed

When creating this ticket, this appeared at the top of the form:

Do not report potential security vulnerabilities here. Read the Security FAQ and email us at security@….

This does not appear to be a security vulnerability. See: http://codex.wordpress.org/FAQ_Security#Why_are_some_users_allowed_to_post_unfiltered_HTML.3F.

You are welcome to email us if there's more here.

comment:2 @TobiasBg3 years ago

Note: This lead to the discovery of #22135.

Note: See TracTickets for help on using tickets.