Make WordPress Core

Opened 3 years ago

Closed 3 years ago

#53819 closed enhancement (invalid)

Atack XSS

Reported by: michal1994's profile michal1994 Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Security Keywords:
Focuses: javascript Cc:

Description

Hello, I am a programmer with little experience but a lot of passion and I was looking for a problem on the Internet, but I found nothing.

The problem is adding comments as an administrator, then it is possible to add the <script> code the same after installing woocommerce plugin and commenting on products, is it really supposed to work like this? The script is added to the page and runs on every refresh.

Change History (1)

#1 @peterwilsoncc
3 years ago

  • Component changed from General to Security
  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Status changed from new to closed
  • Version 5.8 deleted

As noted during the submission process, in future when reporting suspected security issues please do so to the WordPress HackerOne program.

Fortunately this report is not a valid security issue as administrators and editors are able to post any HTML by design. You can read more information about this at https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-some-users-allowed-to-post-unfiltered-html

Note: See TracTickets for help on using tickets.