Opened 3 years ago
Closed 3 years ago
#53819 closed enhancement (invalid)
Atack XSS
Reported by: | michal1994 | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | |
Component: | Security | Keywords: | |
Focuses: | javascript | Cc: |
Description
Hello, I am a programmer with little experience but a lot of passion and I was looking for a problem on the Internet, but I found nothing.
The problem is adding comments as an administrator, then it is possible to add the <script> code the same after installing woocommerce plugin and commenting on products, is it really supposed to work like this? The script is added to the page and runs on every refresh.
Change History (1)
Note: See
TracTickets for help on using
tickets.
As noted during the submission process, in future when reporting suspected security issues please do so to the WordPress HackerOne program.
Fortunately this report is not a valid security issue as administrators and editors are able to post any HTML by design. You can read more information about this at https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-some-users-allowed-to-post-unfiltered-html