[buddypress-trac] [BuddyPress Trac] #8404: Html code injection buddypress.org

buddypress-trac noreply at wordpress.org
Thu Nov 26 07:09:52 UTC 2020

#8404: Html code injection buddypress.org
 Reporter:  zeldatea      |      Owner:  (none)
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  Core          |    Version:  6.3.0
 Severity:  normal        |   Keywords:
 I found small bug on my profile page. I don't think that it's maybe
 security bug.
 It's only broke my page. But not another users.

 Go to the my profile on buddypress.org

 Edit profile and in the field: About me or WordPress Origin Story and
 insert code :

 <span style="background-
 color:dodgerblue;color:white;padding:3000000px;border:30px solid
 Update profile and you can see stored simple html code injection.
 Example on my page profile :

 How to use this? Hard question. Right now I don't see a way to use this.
 I often see such bugs in different SMS with the span tag. As an example ..
 if this is possible on the forum, then using the span tag you can not only
 deface the page, but also spoil a large topic and prevent users from
 communicating and reading in this topic.
 But on the forum buddypress.org it's don't works.

 The Best Regards!



Ticket URL: <https://buddypress.trac.wordpress.org/ticket/8404>
BuddyPress Trac <http://buddypress.org/>
BuddyPress Trac

More information about the buddypress-trac mailing list