WordPress.org

Make WordPress Core

Opened 3 years ago

Closed 3 years ago

#24784 closed defect (bug) (fixed)

Plain text content injection issue in feed error message

Reported by: harrym Owned by:
Milestone: 3.7 Priority: normal
Severity: normal Version: 3.6
Component: Feeds Keywords: 3.7-early
Focuses: Cc:

Description

WordPress 3.5.2 contains an error message relating to the use of an invalid feed template which emits user output. It is not possible to include HTML in this field, but text content can be injected. For example:

http://your-wordpress-website.com/?feed=This%20website%20has%20been%20hacked.%20%20Quick%2C%20write%20a%20news%20paper%20story%20about%20this%21%20I%20am%20tired%20of%20error%20messages%20that%20say%20this

This message is emitted in wp-includes/functions.php in do_feed() at line 1009.

This issue was discovered by Glyn Wintle.

[NB: I have not attached a patch because the core team have already agreed that they will target a fix for 3.7.]

Change History (4)

#1 @nacin
3 years ago

  • Keywords needs-patch 3.7-early added
  • Milestone changed from Awaiting Review to Future Release
  • Summary changed from Plain text content injection vulnerability in feed error message to Plain text content injection isue in feed error message

#2 @SergeyBiryukov
3 years ago

  • Summary changed from Plain text content injection isue in feed error message to Plain text content injection issue in feed error message

#3 @wonderboymusic
3 years ago

  • Milestone changed from Future Release to 3.7

these are all marked 3.7-early

#4 @SergeyBiryukov
3 years ago

  • Keywords needs-patch removed
  • Resolution set to fixed
  • Status changed from new to closed

Fixed in [25190].

Note: See TracTickets for help on using tickets.