Make WordPress Core

Opened 4 years ago

Closed 4 years ago

Last modified 3 years ago

#49430 closed defect (bug) (invalid)

XSS scripting in Post title

Reported by: nayeeem's profile nayeeem Owned by:
Milestone: Priority: normal
Severity: normal Version: 5.3.2
Component: Security Keywords:
Focuses: Cc:



I found a Stored XSS when you create a post or page (/wordpress/wp-admin/post-new.php?post_type=post) then fill ther title with payload (For example: <svg/onload=alert(document.domain)>)

Then go to the post, XSS will be fired in the front end.

I am using WordPress version Version 5.3.2

PHP version: 7.3.8

Change History (4)

#1 @nayeeem
4 years ago

  • Focuses coding-standards added

#2 @nayeeem
4 years ago

  • Focuses privacy added

#3 @swissspidy
4 years ago

  • Focuses privacy coding-standards removed
  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Severity changed from critical to normal
  • Status changed from new to closed

Hi @nayeeem

Welcome to WordPress Trac!

When creating this ticket you were shown a big Do not report potential security vulnerabilities here. warning. You even checked a checkbox that said " I am not reporting a security issue". Nevertheless you proceeded to create this ticket about a potential security vulnerability.

Please do not do this! Be mindful next time about reporting security vulnerabilities and use our HackerOne program instead.

That being said, please note that users with Administrator or Editor roles are allowed to publish unfiltered HTML in post titles, post content, and comments, and upload HTML files to the media library. So what you are seeing is entirely expected behavior.

If you are running security tests against WordPress, use a lesser privileged user so that all content is filtered. If you are concerned about an Administrator or Editor putting XSS into content and stealing cookies, note that all cookies are marked for HTTP only delivery, and are divided into privileged cookies used for admin pages, and unprivileged cookies used for public facing pages. Content is never displayed unfiltered within the admin dashboard.

And again, if you do find a valid security issue, report it via HackerOne!

Thanks for understanding.

This ticket was mentioned in Slack in #core-editor by hermpheus. View the logs.

3 years ago

Note: See TracTickets for help on using tickets.