num73when i was uploading a new theme, i was asked to put ftp data
so if you put a xss code in the username field + host valid + invalid password
the javascript code will execute ..this is url
http://host.com/wp-admin/update.php?action=upload-theme&package=lala.zip&_wpnonce=1aaaaa1a1a
but i thing "_wponce" is type of id of admin , then the xss cant exploit without the value of _wponce :D
regards and sorry google is not a good teacher of english XD
