[wp-hackers] XSS vulnerability?
peter.westwood at ftwr.co.uk
Tue Aug 1 10:22:19 GMT 2006
On Tue, August 1, 2006 10:10 am, f.terenzani at gmail.com wrote:
> Hi all, i have read this fix [http://trac.wordpress.org/ticket/2953]
> on the WP 2.0.4:
> XSS Vulnerability in the 'post_tilte' parameter in
> wp-admin/page-new.php while submitting thought the "Create New page"
> But I think this vulnerability there also is in the 'the_content'
> parameter if you put on post.php post field:
> alert('XSS Vulnerable');
> For this reason I had made the script manager plugin
> This have to be considered a bug?
The admin (and any other user with the unfiltered_html capability) can
post whatever they like by design. (As ryan wrote in reply to that trac
A low level user or commenter without this capability will have the script
tag stripped out by kses.
Peter Westwood <peter.westwood at ftwr.co.uk>
More information about the wp-hackers