WordPress.org

Make WordPress Core

Opened 2 years ago

Closed 2 years ago

Last modified 2 years ago

#47163 closed defect (bug) (invalid)

Stored XSS on Comments

Reported by: down3rz Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: General Keywords:
Focuses: Cc:

Description (last modified by ocean90)

The script i used was :

<a onmouseover=alert('XSS')>Click me</A>

I executed this script on comments and this showed up

Im sure this is severe and im waiting for the fix, thank you im not good in writing write-ups.

Attachments (1)

t1.jpg (149.6 KB) - added by down3rz 2 years ago.
i executed the script on my own blog

Download all attachments as: .zip

Change History (2)

@down3rz
2 years ago

i executed the script on my own blog

#1 @ocean90
2 years ago

  • Description modified (diff)
  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Severity changed from major to normal
  • Status changed from new to closed
  • Version 5.1.1 deleted

Hello, when writing this ticket you should have seen this notice:

Do not report potential security vulnerabilities here.
See the Security FAQ and visit the WordPress HackerOne program.

Please also read Why are some users allowed to post unfiltered HTML?.

Note: See TracTickets for help on using tickets.