[wp-trac] [WordPress Trac] #33402: Zero Day on the Comment section on latest wordpess release
WordPress Trac
noreply at wordpress.org
Tue Aug 18 09:10:42 UTC 2015
#33402: Zero Day on the Comment section on latest wordpess release
--------------------------+----------------------
Reporter: 3ntr0py | Owner:
Type: defect (bug) | Status: closed
Priority: normal | Milestone:
Component: Security | Version: 4.2.4
Severity: normal | Resolution: invalid
Keywords: | Focuses:
--------------------------+----------------------
Changes (by dd32):
* milestone: Awaiting Review =>
Comment:
Additionally, I'd like to point out that in order to post this ticket, you
had to check a checkbox which specifically said - "I am not reporting a
security issue — report security issues to security at wordpress.org".
As @clorith has pointed out, you're submitting the comment as a user which
has the unfiltered_html capability, most likely an administrator. We cover
this specifically in this security-reporting article:
https://make.wordpress.org/core/handbook/testing/reporting-security-
vulnerabilities/#why-are-some-users-allowed-to-post-unfiltered-html
--
Ticket URL: <https://core.trac.wordpress.org/ticket/33402#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list