[buddypress-trac] [BuddyPress Trac] #8404: Html code injection buddypress.org

buddypress-trac noreply at wordpress.org
Fri Nov 27 15:37:48 UTC 2020

#8404: Html code injection buddypress.org
 Reporter:  zeldatea              |       Owner:  johnjamesjacoby
     Type:  defect (bug)          |      Status:  accepted
 Priority:  high                  |   Milestone:  6.4.0
Component:  BuddyPress.org Sites  |     Version:
 Severity:  minor                 |  Resolution:
 Keywords:  has-patch             |
Changes (by johnjamesjacoby):

 * keywords:   => has-patch
 * priority:  normal => high
 * status:  new => accepted
 * severity:  normal => minor
 * milestone:  BuddyPress.org Sites => 6.4.0


 Hello @zeldatea,

 Thanks for alerting us to your findings. Unfortunately, the public Trac is
 not the place to report security concerns, because it makes it easy for
 others to publicly exploit things before our team has an opportunity to
 fix them.

 Please use HackerOne in the future: http://hackerone.com/wordpress

 In addition, it's against the WordPress.org rules to run penetration tests
 on the live sites. Leaving live pages defaced could allow others to
 reverse engineer what you've left behind.

 Specific to this issue, I've traced it back to #5625, and it actually
 appears to be working as intended at the time, though I suspect that the
 consequences you've discovered were simply not considered at the time.

 @imath has patched this in a way that I am signing off on. It could be
 considered a backwards compatibility break, but in this instance I believe
 it's more important to be safe than flexible, simply due to the vandalism
 that users could cause with it remaining as-is or similar.

 Patches & commits imminent.

 Thank you again2 @zeldatea and @imath.

Ticket URL: <https://buddypress.trac.wordpress.org/ticket/8404#comment:3>
BuddyPress Trac <http://buddypress.org/>
BuddyPress Trac

More information about the buddypress-trac mailing list