WordPress.org

Ready to get started?Download WordPress

Forums

WP still hasn't fixed XSS Vulnerability in unsanitized comments?!?! (5 posts)

  1. dtrenz
    Member
    Posted 4 years ago #

    I just upgraded (long overdue) to the latest version of WP (2.9.1) after getting hacked. I noticed that in the old version of WP, you could add javascript to a comment and it would execute!

    I have just upgraded, and assumed that this would be fixed, but it hasn't!

    If you want to be terrified, give it a try yourself.

    All someone needs to do is put this in a comment:

    <script>document.location="http://www.bad-website-goes-here.com";</script>

    ...and anyone who visits that post will be redirected to another site that could do all sorts of bad things, like load malware, or phish for info, etc...

    PLEASE PLEASE PLEASE patch this!

    In the meantime, I guess I have to write a plug-in to sanitize comments? How could this have been left open for soooo long?!

  2. Chris_K
    Member
    Posted 4 years ago #

    If you feel you've found a security issue, please send in a notification: http://codex.wordpress.org/FAQ_Security#Where_do_I_report_security_issues.3F

  3. dtrenz
    Member
    Posted 4 years ago #

    Sent. Thanks.

  4. dtrenz
    Member
    Posted 4 years ago #

    FYI - I just installed the "HTML Purified" plug-in and it patches this vulnerability.

  5. mrmist
    Forum Janitor
    Posted 4 years ago #

    Not exactly.

    *You* can post scripts in comments because you are a blog admin, normal commenters cannot post scripts.

Topic Closed

This topic has been closed to new replies.

About this Topic