Opened 8 months ago
Closed 8 months ago
#60598 closed defect (bug) (invalid)
Cross-site Scripting (XSS) in wordpress core files
Reported by: | savannahj | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | 6.1.1 |
Component: | Security | Keywords: | |
Focuses: | Cc: |
Description
When scanning using SYNK tool, getting the following vulnerability in multiple wordpress core files
Example 1
Cross-site Scripting (XSS) in /wp-includes/user.php
<?php function get_users( $args = array() ) { $args = wp_parse_args( $args ); $args['count_total'] = false; $user_search = new WP_User_Query( $args ); return (array) $user_search->get_results(); }
here $args is not sanitized
Example 2
Cross-site Scripting (XSS) in wp-admin/includes/template.php
<?php // Then the rest of them. $output .= $walker->walk( $categories, 0, $args ); if ( $parsed_args['echo'] ) { echo $output; } return $output;
here $output is not sanitized
Unsanitized input from an HTTP parameter flows into the echo statement, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).
Attachments (1)
Change History (2)
Note: See
TracTickets for help on using
tickets.
Hi there and welcome to WordPress Trac,
When you created this ticket, you were presented multiple notices about not reporting security issues on Trac. You should always report potantial security issues to the WordPress HackerOne program instead. Please do not ignore these warnings next time.
With that said, those warnings you shared are invalid / false positives.
get_users()
does not operate on any HTTP parameters as input. And thewp_terms_checklist()
function is expected to echo the output like this, so that's working as intended.Please read through the above documentation if you use any such scanning tool and manually verify issues reported by such tools and include a valid proof of concept when reporting via HackerOne.