#49430 closed defect (bug) (invalid)
XSS scripting in Post title
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Priority: | normal | |
| Severity: | normal | Version: | 5.3.2 |
| Component: | Security | Keywords: | |
| Focuses: | Cc: |
Description
Hello,
I found a Stored XSS when you create a post or page (/wordpress/wp-admin/post-new.php?post_type=post) then fill ther title with payload (For example: <svg/onload=alert(document.domain)>)
Then go to the post, XSS will be fired in the front end.
I am using WordPress version Version 5.3.2
PHP version: 7.3.8
Change History (4)
Note: See
TracTickets for help on using
tickets.
Hi @nayeeem
Welcome to WordPress Trac!
When creating this ticket you were shown a big Do not report potential security vulnerabilities here. warning. You even checked a checkbox that said " I am not reporting a security issue". Nevertheless you proceeded to create this ticket about a potential security vulnerability.
Please do not do this! Be mindful next time about reporting security vulnerabilities and use our HackerOne program instead.
That being said, please note that users with Administrator or Editor roles are allowed to publish unfiltered HTML in post titles, post content, and comments, and upload HTML files to the media library. So what you are seeing is entirely expected behavior.
If you are running security tests against WordPress, use a lesser privileged user so that all content is filtered. If you are concerned about an Administrator or Editor putting XSS into content and stealing cookies, note that all cookies are marked for HTTP only delivery, and are divided into privileged cookies used for admin pages, and unprivileged cookies used for public facing pages. Content is never displayed unfiltered within the admin dashboard.
And again, if you do find a valid security issue, report it via HackerOne!
Thanks for understanding.