[wp-trac] [WordPress Trac] #49430: XSS scripting in Post title
WordPress Trac
noreply at wordpress.org
Fri Feb 14 06:41:51 UTC 2020
#49430: XSS scripting in Post title
--------------------------+-----------------------------
Reporter: nayeeem | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version: 5.3.2
Severity: critical | Keywords:
Focuses: |
--------------------------+-----------------------------
Hello,
I found a Stored XSS when you create a post or page (/wordpress/wp-admin
/post-new.php?post_type=post) then fill ther title with payload (For
example: <svg/onload=alert(document.domain)>)
Then go to the post, XSS will be fired in the front end.
I am using WordPress version Version 5.3.2
PHP version: 7.3.8
--
Ticket URL: <https://core.trac.wordpress.org/ticket/49430>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list