WordPress.org

Make WordPress Core

Opened 5 months ago

Closed 5 months ago

#53055 closed defect (bug) (invalid)

Cross-Site Scripting: Reflected

Reported by: mansontong Owned by:
Milestone: Priority: normal
Severity: normal Version: 5.7
Component: Security Keywords:
Focuses: Cc:

Description

Cross-Site Scripting: Reflected
Kingdom: Input Validation and Representation

GET /subscriber/wp-admin/themes.php/%37%38%33%36%38 HTTP/1.1

...TRUNCATED.../subscriber/wp-admin/themes.php/78368" />

FOR details, please see this screen capture
http://prntscr.com/11oa70c

Change History (1)

#1 @peterwilsoncc
5 months ago

  • Component changed from Administration to Security
  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Severity changed from critical to normal
  • Status changed from new to closed

Please don't post security issues on the public trac. WordPress has a HackerOne program you can use to report such issues.

That said, this isn't a cross site scripting issue as the code does not execute. These are properly encoded return URLs so appending alert(1) to the URL does not produce an alert.

Note: See TracTickets for help on using tickets.