WordPress.org

Make WordPress Core

#52067 closed defect (bug) (invalid)

Cross Site Scripting Vulnerability on "Comment" WordPress Version 5.6

Reported by: tucuong97 Owned by:
Milestone: Priority: normal
Severity: normal Version: 5.6
Component: Script Loader Keywords:
Focuses: Cc:

Description (last modified by Clorith)

  1. Description:

Cross Site Scripting Vulnerability on "Comment" WordPress Version 5.6

  1. To Reproduce:

  • Go to any post on website using WordPress Version 5.6
  • Insert Payload in to field "comment"
  • Click "Comment"
  • View the preview to trigger XSS.
  1. Payload:

test"><script>alert(document.domain)</script>

  1. Screenshots:

https://i.imgur.com/jj5ZUSV.png
https://i.imgur.com/7UdGouq.png

  1. Impact

Commonly include transmitting private data, like cookies or other session
information, to the attacker, redirecting the victim to web content controlled
by the attacker, or performing other malicious operations on the user’s machine
under the guise of the vulnerable site.

  1. Desktop (please complete the following information):
  • OS: Ubuntu
  • Browser: Firefox
  • Version: 76.0.1

Change History (2)

#1 @ethicalhack3r
12 months ago

According to your screenshots, you were authenticated as an Administrator user when you submitted the payload.

Administrator and Editor users are permitted to submit unfiltered HTML and JavaScript. WordPress allows them to do this. These users have the unfiltered_html capability.

https://wordpress.org/support/article/roles-and-capabilities/#unfiltered_html

This is not a security vulnerability in the WordPress eco-system.

You can test this yourself by adding the following to your wp-config.php file, which disables this capability:

define( 'DISALLOW_UNFILTERED_HTML', true );

You will notice that with this constant set to true, that you will not be able to reproduce your issue.

#2 @Clorith
12 months ago

  • Description modified (diff)
  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Severity changed from critical to normal
  • Status changed from new to closed

Hi there, and welcome to the WordPress trac.

When submitting a ticket to trac, relating to security, you have to actively tick the box that states "I am not reporting a potential security vulnerability", although that is what this is.

All possible security vulnerabilities should be reported to the WordPress HackerOne project page so that it can be investigated and appropriate action can be taken in a timely manner, without causing unnecessary security risks.

You may also find value in reading the core handbook page on responsible disclosure.

Please note that administrator accounts in a default WordPress install have access to post unfiltered HTML and arbitrary JavaScript code, and is by design. You can read more about this at https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-some-users-allowed-to-post-unfiltered-html

Note: See TracTickets for help on using tickets.