Opened 3 years ago
Closed 3 years ago
#57524 closed defect (bug) (wontfix)
Bug when submitting a post using the WordPress Editor
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Priority: | normal | |
| Severity: | critical | Version: | |
| Component: | Posts, Post Types | Keywords: | has-screenshots |
| Focuses: | Cc: |
Description
I have found a vulnerability when utilizing the WordPress Editor. I would like to be able to discuss this after I am able to reach an offer that is worth its value.
Thanks,
Paulson Kimani
Attachments (1)
.png){kind=link}
.png){kind=link}
Change History (3)
#1
@
3 years ago
- Keywords has-screenshots added
- Severity changed from blocker to critical
When I submit a Word document using the default post editor from a previous version of Microsoft Word, it allows HTML tags to be represented in the form.
#2
@
3 years ago
- Keywords needs-patch removed
- Milestone Awaiting Review deleted
- Resolution set to wontfix
- Status changed from new to closed
- Version 6.1.1 deleted
Welcome to Trac, @pmk1071, and thank you for the report!
Unfiltered HTML in titles, posts, and comments is allowed by certain roles in WordPress, so this is a feature, and not a bug. (But I agree that it can seem odd 😂.) I'll close this ticket, since the behavior in question is expected.
For future reference, please keep in mind that Core Trac is used for non-security related bug reports. However, if you do come across a security issue in the future, please refer to the Reporting Security Vulnerabilities page for reporting guidelines. Thanks!
Note the opening and closing tags in the titles for the post names . It is reproducible and was not added afterwards.