[buddypress-trac] [BuddyPress Trac] #8404: Html code injection buddypress.org
buddypress-trac
noreply at wordpress.org
Thu Nov 26 07:09:52 UTC 2020
#8404: Html code injection buddypress.org
--------------------------+-----------------------------
Reporter: zeldatea | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Core | Version: 6.3.0
Severity: normal | Keywords:
--------------------------+-----------------------------
Hello.
I found small bug on my profile page. I don't think that it's maybe
security bug.
It's only broke my page. But not another users.
Go to the my profile on buddypress.org
Edit profile and in the field: About me or WordPress Origin Story and
insert code :
{{{
<span style="background-
color:dodgerblue;color:white;padding:3000000px;border:30px solid
red">Текст</span>
}}}
Update profile and you can see stored simple html code injection.
Example on my page profile :
https://buddypress.org/members/zeldatea/profile/
How to use this? Hard question. Right now I don't see a way to use this.
I often see such bugs in different SMS with the span tag. As an example ..
if this is possible on the forum, then using the span tag you can not only
deface the page, but also spoil a large topic and prevent users from
communicating and reading in this topic.
But on the forum buddypress.org it's don't works.
The Best Regards!
Vincent
https://pentestvincent.blogspot.com/
--
Ticket URL: <https://buddypress.trac.wordpress.org/ticket/8404>
BuddyPress Trac <http://buddypress.org/>
BuddyPress Trac
More information about the buddypress-trac
mailing list