Make WordPress Core

Opened 5 years ago

Closed 5 years ago

#48840 closed defect (bug) (invalid)

Stored Xss on WordPress

Reported by: mousecybersec's profile mousecybersec Owned by:
Milestone: Priority: normal
Severity: normal Version: 5.4
Component: Editor Keywords:
Focuses: Cc:


I tried to make a block in the post editor with an html block, then put a payload on the block, after I post and click it will appear an alert on the wordpress website.

Attachments (1)

Screenshot_2019-11-30-16-20-30-114_org.mozilla.firefox.jpg (399.8 KB) - added by mousecybersec 5 years ago.

Download all attachments as: .zip

Change History (2)

#1 @SergeyBiryukov
5 years ago

  • Component changed from Post Formats to Editor
  • Focuses accessibility removed
  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Severity changed from critical to normal
  • Status changed from new to closed

Hi there, welcome to WordPress Trac!

When writing the ticket you should have seen this notice:

Do not report potential security vulnerabilities here.
See the Security FAQ and visit the WordPress HackerOne program.

Worth noting this is not a real security issue since administrators or editors are able to post arbitrary JavaScript.

If you think you have found a real security vulnerability, please head over to HackerOne, and do not post it here.

Thanks for your cooperation.

Note: See TracTickets for help on using tickets.