WordPress.org

Make WordPress Core

#24784 closed defect (bug) (fixed)

Plain text content injection issue in feed error message

Reported by: harrym Owned by:
Milestone: 3.7 Priority: normal
Severity: normal Version: 3.6
Component: Feeds Keywords: 3.7-early
Focuses: Cc:

Description

WordPress 3.5.2 contains an error message relating to the use of an invalid feed template which emits user output. It is not possible to include HTML in this field, but text content can be injected. For example:

http://your-wordpress-website.com/?feed=This%20website%20has%20been%20hacked.%20%20Quick%2C%20write%20a%20news%20paper%20story%20about%20this%21%20I%20am%20tired%20of%20error%20messages%20that%20say%20this

This message is emitted in wp-includes/functions.php in do_feed() at line 1009.

This issue was discovered by Glyn Wintle.

[NB: I have not attached a patch because the core team have already agreed that they will target a fix for 3.7.]

Change History (4)

comment:1 @nacin21 months ago

  • Keywords needs-patch 3.7-early added
  • Milestone changed from Awaiting Review to Future Release
  • Summary changed from Plain text content injection vulnerability in feed error message to Plain text content injection isue in feed error message

comment:2 @SergeyBiryukov20 months ago

  • Summary changed from Plain text content injection isue in feed error message to Plain text content injection issue in feed error message

comment:3 @wonderboymusic20 months ago

  • Milestone changed from Future Release to 3.7

these are all marked 3.7-early

comment:4 @SergeyBiryukov19 months ago

  • Keywords needs-patch removed
  • Resolution set to fixed
  • Status changed from new to closed

Fixed in [25190].

Note: See TracTickets for help on using tickets.