[wp-trac] [WordPress Trac] #52067: Cross Site Scripting Vulnerability on "Comment" WordPress Version 5.6
WordPress Trac
noreply at wordpress.org
Mon Dec 14 12:59:26 UTC 2020
#52067: Cross Site Scripting Vulnerability on "Comment" WordPress Version 5.6
---------------------------+-----------------------------
Reporter: tucuong97 | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Script Loader | Version: 5.6
Severity: critical | Keywords:
Focuses: |
---------------------------+-----------------------------
1. Description:
----------------------
Cross Site Scripting Vulnerability on "Comment" WordPress Version 5.6
2. To Reproduce:
----------------------
- Go to any post on website using Wordpress Version 5.6
- Insert Payload in to field "comment"
- Click "Comment"
- View the preview to trigger XSS.
3. Payload:
----------------------
test"><script>alert(document.domain)</script>
4. Screenshots:
----------------------
https://i.imgur.com/jj5ZUSV.png
https://i.imgur.com/7UdGouq.png
5. Impact
Commonly include transmitting private data, like cookies or other session
information, to the attacker, redirecting the victim to web content
controlled
by the attacker, or performing other malicious operations on the user’s
machine
under the guise of the vulnerable site.
6. Desktop (please complete the following information):
- OS: Ubuntu
- Browser: Firefox
- Version: 76.0.1
--
Ticket URL: <https://core.trac.wordpress.org/ticket/52067>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list