WordPress.org

Ready to get started?Download WordPress

Forums

I found some XSS with ?tag= (11 posts)

  1. etardwebcam
    Member
    Posted 3 years ago #

    I found some XSS
    http://somesite.com/?tag='"><script>alert(1)</script>
    and the samething work with ?cat= ?m=

    and I would like to know how to go about fixing it?
    i'm not sure if this is a hole in WP or my Theme

  2. esmi
    Theme Diva & Forum Moderator
    Posted 3 years ago #

  3. etardwebcam
    Member
    Posted 3 years ago #

    ok but I was not hacked this is the work of some dumb coder not dong this job.

  4. etardwebcam
    Member
    Posted 3 years ago #

    so I ask agan
    http://somesite.com/?tag='"><script>alert(1)</script>
    I would like to know how to go about fixing it.
    but I'm not sure if this is a hole in WP or my Theme?
    is any one out there running wp 3.0.1 getting this xss?

  5. Samuel B
    moderator
    Posted 3 years ago #

    never seen it except when hacked
    do you have an example link?

  6. etardwebcam
    Member
    Posted 3 years ago #

    yeah but i really dont want to post it on here -_-

    i also found somemore
    http://somesite.com/?tag='"><script>alert(1)</script>
    http://somesite.com/?cat='"><script>alert(1)</script>
    http://somesite.com/?m='"><script>alert(1)</script>
    http://somesite.com/?s='"><script>alert(1)</script>
    http://somesite.com/?page_id='"><script>alert(1)</script>
    http://somesite.com/?author='"><script>alert(1)</script>

    so what your saying is someone hacked me & made it so the XSS works with tag,cat,m,page_id,author
    i dont think i was hacked its got to be a bad plugin or theme
    I'm running Atahualpa theme 3.5.3

  7. Samuel B
    moderator
    Posted 3 years ago #

    i dont think i was hacked its got to be a bad plugin or theme
    I'm running Atahualpa theme 3.5.3

    that's easily tested
    deactivate all plugins and test
    switch to twenty ten theme and test

  8. etardwebcam
    Member
    Posted 3 years ago #

    I did it & found out its Global Translator Version 1.3.2
    I need to some how get a hold of the maker
    or can you do that?

  9. James
    Happiness Engineer
    Posted 3 years ago #

    No, we don't have any special developer contacting powers. You'll have to contact him.

    You did the right thing by posting here:

    http://wordpress.org/support/topic/xss-attack-found-in-global-translator-132

  10. etardwebcam
    Member
    Posted 3 years ago #

    yeah I did not know if Samuel B
    had some way of getting a hold of him faster.
    all I do know is the maker of that plugin is not easy to get a hold of
    & Global Translator is not the kind of plugin I can go with out.
    if I do I will piss off google when all the many translated pages start to not show up if I have the plugin off.

    p.s.
    Thanks for all of your help everyone ;)

  11. Samuel B
    moderator
    Posted 3 years ago #

    Hi, well good job I guess - hate to see a plugin hack
    might try an earlier version to see if it's vulnerable
    http://wordpress.org/extend/plugins/global-translator/download/

    you can contact author here
    http://www.n2h.it/contatti/
    I think he would be very interested to know about this

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags