Make WordPress Core

Opened 3 months ago

Closed 3 months ago

#60598 closed defect (bug) (invalid)

Cross-site Scripting (XSS) in wordpress core files

Reported by: savannahj's profile savannahj Owned by:
Milestone: Priority: normal
Severity: normal Version: 6.1.1
Component: Security Keywords:
Focuses: Cc:


When scanning using SYNK tool, getting the following vulnerability in multiple wordpress core files

Example 1
Cross-site Scripting (XSS) in /wp-includes/user.php

function get_users( $args = array() ) {

        $args                = wp_parse_args( $args );
        $args['count_total'] = false;

        $user_search = new WP_User_Query( $args );

        return (array) $user_search->get_results();

here $args is not sanitized

Example 2
Cross-site Scripting (XSS) in wp-admin/includes/template.php

// Then the rest of them.
        $output .= $walker->walk( $categories, 0, $args );

        if ( $parsed_args['echo'] ) {
                echo $output;

        return $output;

here $output is not sanitized

Unsanitized input from an HTTP parameter flows into the echo statement, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).

Attachments (1)

vulnerability.PNG (56.3 KB) - added by savannahj 3 months ago.

Download all attachments as: .zip

Change History (2)

#1 @swissspidy
3 months ago

  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Status changed from new to closed

Hi there and welcome to WordPress Trac,

When you created this ticket, you were presented multiple notices about not reporting security issues on Trac. You should always report potantial security issues to the WordPress HackerOne program instead. Please do not ignore these warnings next time.

With that said, those warnings you shared are invalid / false positives. get_users() does not operate on any HTTP parameters as input. And the wp_terms_checklist() function is expected to echo the output like this, so that's working as intended.

Please read through the above documentation if you use any such scanning tool and manually verify issues reported by such tools and include a valid proof of concept when reporting via HackerOne.

Note: See TracTickets for help on using tickets.