[wp-trac] [WordPress Trac] #58227: JavaScript can be entered as an image description
WordPress Trac
noreply at wordpress.org
Mon May 1 19:50:51 UTC 2023
#58227: JavaScript can be entered as an image description
--------------------------+-----------------------------
Reporter: Presskopp | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Media | Version:
Severity: normal | Keywords:
Focuses: |
--------------------------+-----------------------------
Editing an image (didn't try other media) in WordPress like on **[...]/wp-
admin/post.php?post=[...]&action=edit**
you are able to enter JavaScript in the 'Description' field. You don't
have to be admin for that. I first reported this on hackerone and they did
let me know there do not appear to be any security implications as a
direct result of this behavior. It still shouldn't be possible, if you ask
me. Once entered, opening the media url will run the script, even if not
logged in at all. So for example you can load an external JS-file this
way.
I wonder why TinyMCE doesn't filter it out there, btw.
Example:
{{{
<script>
alert("this is a description, let's load something..");
function loadSomething() {
var script = document.createElement('script');
script.src =
'https://cdn.jsdelivr.net/npm/bootstrap@5.0.2/dist/js/bootstrap.bundle.min.js';
var head = document.getElementsByTagName("head")[0];
head.appendChild(script);
}
loadSomething();
</script>
}}}
--
Ticket URL: <https://core.trac.wordpress.org/ticket/58227>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list