Make WordPress Core

Opened 12 years ago

Closed 12 years ago

Last modified 12 years ago

#22861 closed defect (bug) (invalid)

Wordpress 3.5 - Cross Site Scripting Vulnerability

Reported by: shubhammittal01's profile shubhammittal01 Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Security Keywords:
Focuses: Cc:

Description (last modified by ocean90)

Hi, My name is Shubham Mittal. I have a bug at new Wordpress (latest version, 3.5). This bug is Cross Site Scripting.

[XSS] New Wp-Post

Exploit Title: CMS Wordpress - XSS Vulnerability
Author : Shubham Mittal
E-mail : upgoingstaar@…
Webpage: http://3ncrypt0r.blogspot.com[[BR]]
Version CMS : Version 3.5 (Last Version)
Category : WebApps / Content Management System (CMS)
Security Risk: Medium Level
Link Downlaod: ​http://www.wordpress.org/
Tested On : Mozilla Firefox + WAMP + Windows 7 64 Bit

[Information Content]
WordPress - Web Publishing Software. ​http://www.wordpress.org/

[Vulnerability Details]

XSS CODE:
<script>alert("XSSedByShubham")>
</script<script>alert(document.cookie);</script>
<script>window.open("​http://www.google.com/")</script>

Exploit Report:

  1. Create / Edit Wp-Post

Input "Title Post" with script XSS Code.
<script>alert("XSSedByShubham")</script>

  1. http://example.com/wp-admin/post-new.php <---Publish It


  1. View XSS, Alert Box will pop up. http://example.com/?p=xxx <--XSSed

http://4.bp.blogspot.com/-zNKPa-mQPEc/UMejBt8a3HI/AAAAAAAABQQ/HsG9RQnRwlg/s1600/post+xss.jpg

Thanks

Shubham Mittal
@upgoingstar

Change History (4)

#1 @ocean90
12 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Status changed from new to closed
  • Version 3.5 deleted

Administrators and Editors have the unfiltered_html capability and are allowed to do this.

Also, please do not report "security issues" publicly. ​http://codex.wordpress.org/Security_FAQ#Where_do_I_report_security_issues.3F

Duplicate: #19014

Last edited 12 years ago by ocean90 (previous) (diff)

#2 @ocean90
12 years ago

  • Description modified (diff)

#3 @helenyhou
12 years ago

  • Component changed from General to Security

See: http://codex.wordpress.org/FAQ_Security#Why_are_some_users_allowed_to_post_unfiltered_HTML.3F.

Also, when creating this ticket, this appeared at the top of the form:

Do not report potential security vulnerabilities here. Read the Security FAQ and email us at security@wordpress .org.

#4 @miqrogroove
12 years ago

And to offer a more general response to this:

Pasting code into your own website is not XSS. You have to demonstrate that a second site is involved or that injection is possible without administrator privilege.

Note: See TracTickets for help on using tickets.