[wp-trac] [WordPress Trac] #41090: XSS via title and body in three defalut theme
WordPress Trac
noreply at wordpress.org
Sat Jun 17 21:30:54 UTC 2017
#41090: XSS via title and body in three defalut theme
--------------------------+-----------------------------
Reporter: rudr4sarkar | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Themes | Version: 4.8
Severity: normal | Keywords:
Focuses: template |
--------------------------+-----------------------------
Hi Team,
I found xss in three default theme of wordpress.
Affected Thames:
1. Twenty Fifteen
2. Twenty Seventeen
3. Twenty Sixteen
Step to reproduce:
1. Go to http://localhost/wordpress/wp-admin/post-new.php
2. Add a title: whatever <svg onload="alert(document.domain)"></svg>
3. Now also add Body: Your Post...... <svg
onload="alert(document.domain)"></svg>
4. now go to http://localhost/wordpress/ you will got 3 alert.
[N.B] I am try it also without admin access the xss executaed.
Looking for froward to hear from Wordpress Security.
Thank you,
Rudra Sarkar
Independent Security Researcher
--
Ticket URL: <https://core.trac.wordpress.org/ticket/41090>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list