[wp-hackers] Security Vulnerability found
wordpress at coldforged.org
Wed Apr 13 14:00:50 GMT 2005
Eli Sarver wrote:
>Has this been addressed?
>Title: WordPress XSS and HTML injection
>Vulnerability discovery: SoulBlack - Security Research -
>Severity: Medium. users can obtain cookies of other users and defacement website
>Affected version: <= 1.5
So, blog authors can insert HTML into their titles and posts?
Admittedly, perhaps some stripping of particular elements (e.g.
"script") could/should be done, the arbitrary conversion of _all_ tags
is a bit daft. Look out for those "<em>" tags!
More information about the wp-hackers