[wp-trac] [WordPress Trac] #60598: Cross-site Scripting (XSS) in wordpress core files
WordPress Trac
noreply at wordpress.org
Thu Feb 22 09:45:38 UTC 2024
#60598: Cross-site Scripting (XSS) in wordpress core files
--------------------------+----------------------
Reporter: savannahj | Owner: (none)
Type: defect (bug) | Status: closed
Priority: normal | Milestone:
Component: Security | Version: 6.1.1
Severity: normal | Resolution: invalid
Keywords: | Focuses:
--------------------------+----------------------
Changes (by swissspidy):
* status: new => closed
* resolution: => invalid
* milestone: Awaiting Review =>
Comment:
Hi there and welcome to WordPress Trac,
When you created this ticket, you were presented multiple notices about
not reporting security issues on Trac. You should always
[http://make.wordpress.org/core/handbook/reporting-security-
vulnerabilities/ report potantial security issues] to the
[https://hackerone.com/wordpress WordPress HackerOne program] instead.
Please do not ignore these warnings next time.
With that said, those warnings you shared are invalid / false positives.
`get_users()` does not operate on any HTTP parameters as input. And the
`wp_terms_checklist()` function is expected to echo the output like this,
so that's working as intended.
Please read through the above documentation if you use any such scanning
tool and manually verify issues reported by such tools and include a valid
proof of concept when reporting via HackerOne.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/60598#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list