WordPress.org

Ready to get started?Download WordPress

Forums

I found some XSS with ?tag= (11 posts)

  1. E-TARD The LifeCaster
    Member
    Posted 3 years ago #

    I found some XSS
    http://somesite.com/?tag='"><script>alert(1)</script>
    and the samething work with ?cat= ?m=

    and I would like to know how to go about fixing it?
    i'm not sure if this is a hole in WP or my Theme

  2. esmi
    Forum Moderator
    Posted 3 years ago #

  3. E-TARD The LifeCaster
    Member
    Posted 3 years ago #

    ok but I was not hacked this is the work of some dumb coder not dong this job.

  4. E-TARD The LifeCaster
    Member
    Posted 3 years ago #

    so I ask agan
    http://somesite.com/?tag='"><script>alert(1)</script>
    I would like to know how to go about fixing it.
    but I'm not sure if this is a hole in WP or my Theme?
    is any one out there running wp 3.0.1 getting this xss?

  5. Samuel B
    moderator
    Posted 3 years ago #

    never seen it except when hacked
    do you have an example link?

  6. E-TARD The LifeCaster
    Member
    Posted 3 years ago #

    yeah but i really dont want to post it on here -_-

    i also found somemore
    http://somesite.com/?tag='"><script>alert(1)</script>
    http://somesite.com/?cat='"><script>alert(1)</script>
    http://somesite.com/?m='"><script>alert(1)</script>
    http://somesite.com/?s='"><script>alert(1)</script>
    http://somesite.com/?page_id='"><script>alert(1)</script>
    http://somesite.com/?author='"><script>alert(1)</script>

    so what your saying is someone hacked me & made it so the XSS works with tag,cat,m,page_id,author
    i dont think i was hacked its got to be a bad plugin or theme
    I'm running Atahualpa theme 3.5.3

  7. Samuel B
    moderator
    Posted 3 years ago #

    i dont think i was hacked its got to be a bad plugin or theme
    I'm running Atahualpa theme 3.5.3

    that's easily tested
    deactivate all plugins and test
    switch to twenty ten theme and test

  8. E-TARD The LifeCaster
    Member
    Posted 3 years ago #

    I did it & found out its Global Translator Version 1.3.2
    I need to some how get a hold of the maker
    or can you do that?

  9. No, we don't have any special developer contacting powers. You'll have to contact him.

    You did the right thing by posting here:

    http://wordpress.org/support/topic/xss-attack-found-in-global-translator-132

  10. E-TARD The LifeCaster
    Member
    Posted 3 years ago #

    yeah I did not know if Samuel B
    had some way of getting a hold of him faster.
    all I do know is the maker of that plugin is not easy to get a hold of
    & Global Translator is not the kind of plugin I can go with out.
    if I do I will piss off google when all the many translated pages start to not show up if I have the plugin off.

    p.s.
    Thanks for all of your help everyone ;)

  11. Samuel B
    moderator
    Posted 3 years ago #

    Hi, well good job I guess - hate to see a plugin hack
    might try an earlier version to see if it's vulnerable
    http://wordpress.org/extend/plugins/global-translator/download/

    you can contact author here
    http://www.n2h.it/contatti/
    I think he would be very interested to know about this

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags