Plain text content injection issue in feed error message
|Reported by:||harrym||Owned by:|
WordPress 3.5.2 contains an error message relating to the use of an invalid feed template which emits user output. It is not possible to include HTML in this field, but text content can be injected. For example:
This message is emitted in wp-includes/functions.php in do_feed() at line 1009.
This issue was discovered by Glyn Wintle.
[NB: I have not attached a patch because the core team have already agreed that they will target a fix for 3.7.]
Change History (4)
- Keywords needs-patch 3.7-early added
- Milestone changed from Awaiting Review to Future Release
- Summary changed from Plain text content injection vulnerability in feed error message to Plain text content injection isue in feed error message
4 years ago
- Summary changed from Plain text content injection isue in feed error message to Plain text content injection issue in feed error message