Make WordPress Core

Opened 5 years ago

Last modified 5 years ago

#22861 closed defect (bug)

Wordpress 3.5 - Cross Site Scripting Vulnerability — at Initial Version

Reported by: shubhammittal01 Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Security Keywords:
Focuses: Cc:


Hi, My name is Shubham Mittal. I have a bug at new Wordpress (latest version, 3.5). This bug is Cross Site Scripting.

[XSS] New Wp-Post

Exploit Title: CMS Wordpress - XSS Vulnerability
Author : Shubham Mittal
E-mail : upgoingstaar@…
Webpage: http://3ncrypt0r.blogspot.com[[BR]] Version CMS : Version 3.5 (Last Version)
Category : WebApps / Content Management System (CMS)
Security Risk: Medium Level
Link Downlaod: ​http://www.wordpress.org/
Tested On : Mozilla Firefox + WAMP + Windows 7 64 Bit

[Information Content] WordPress - Web Publishing Software. ​http://www.wordpress.org/

[Vulnerability Details]

XSS CODE: <script>alert("XSSedByShubham")>

Exploit Report:

  1. Create / Edit Wp-Post

Input "Title Post" with script XSS Code. <script>alert("XSSedByShubham")</script>

  1. http://example.com/wp-admin/post-new.php <---Publish It

  1. View XSS, Alert Box will pop up. http://example.com/?p=xxx <--XSSed



Shubham Mittal @upgoingstar

Change History (0)

Note: See TracTickets for help on using tickets.