[wp-trac] [WordPress Trac] #16089: Cross-site Scripting Vulnerability in /wp-admin/setup-config

WordPress Trac wp-trac at lists.automattic.com
Mon Jan 3 18:18:14 UTC 2011

#16089: Cross-site Scripting Vulnerability in /wp-admin/setup-config
 Reporter:  danielmiessler  |       Owner:
     Type:  defect (bug)    |      Status:  new
 Priority:  normal          |   Milestone:  3.1
Component:  General         |     Version:  3.1
 Severity:  critical        |  Resolution:
 Keywords:  has-patch       |

Comment (by ericmann):

 Replying to [comment:2 danielmiessler]:
 > I think I followed the correct procedure.

 No, you didn't.

 > I went to wordpress.org, typed "report a vulnerability" into the search
 field, and was given instructions on how to properly fill out a trac

 The page that comes up from that search
 (http://codex.wordpress.org/Reporting_Bugs) has an explicit "Reporting
 security issues" section that refers you to the Security FAQ page
 (http://codex.wordpress.org/Security_FAQ).  This section reminds you to
 notify the vendor (the WordPress core team) privately rather than publicly
 about exploits, and the Security FAQ page provides the actual contact

 It is bad practice to report security vulnerabilities in public.  We need
 time to patch the issue and provide an update to users before anyone who
 would exploit the vulnerability gets a hold of it.

Ticket URL: <http://core.trac.wordpress.org/ticket/16089#comment:5>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list