XSS in 2.1.1 in AYS for HTTP GET requests
|Reported by:||Reaper-X||Owned by:|
Description (last modified by markjaquith)
Input passed to the "post" parameter in wp-admin/post.php (when "action" is set to "delete") is not properly sanitised before being returned to a user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
Successful exploitation requires that the target user is logged in as administrator.
The exploit is actually more general than that: for any action that triggers nonce verification, the URL for the "Yes" action is not properly sanitized, and a specially crafted URL can escape from the link's href attribute and inject arbitrary HTML. The "delete" action and the "post" parameter just happen to be the ones used in the example.
Change History (3)
comment:2 @foolswisdom — 8 years ago
- Description modified (diff)
- Summary changed from XSS in 2.1.1 to XSS in 2.1.1 input passed to the "post" parameter in wp-admin/post.php