Make WordPress Core

Opened 6 years ago

Closed 6 years ago

Last modified 6 years ago

#32869 closed defect (bug) (invalid)

XSS Problem on Wordpress 4

Reported by: MohsineBen Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Themes Keywords:
Focuses: javascript Cc:


Hi, i think Wordpress 4 is suffring from Cross Site Scripting problem , i tested it on 2 websites :

it will take maybe 4 or 3 secends so that the error message appears (alert windows)

aand this is the result:

Attachments (1)

wordpress.JPG (54.3 KB) - added by MohsineBen 6 years ago.
XSS Window on Wordpress 4

Download all attachments as: .zip

Change History (3)

6 years ago

XSS Window on Wordpress 4

#1 @netweb
6 years ago

  • Component changed from General to Security
  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Status changed from new to closed
  • Version 4.0 deleted

There were two notices you would have seen when posting this ticket:

Do not report potential security vulnerabilities here.
See the Security FAQ and contact security@wordpress.org.

And after typing the text you would've had to have checked the checkbox of the following to proceed:

I am not reporting a security issue — report security issues to security@wordpress.org

Yet you continued to post here anyway, quite disappointing :(

It looks like the theme in use isn’t escaping the search term properly, and that WordPress 4.3+ pre-escapes the search term to potentially avoid some of those cases, see #32142

Last edited 6 years ago by SergeyBiryukov (previous) (diff)

#2 @johnbillion
6 years ago

  • Component changed from Security to Themes
Note: See TracTickets for help on using tickets.