WordPress.org

Forums

2.2.3 Vulnerability (12 posts)

  1. quotes
    Member
    Posted 7 years ago #

    Is version 2.2.3 still hackable with the XSS Exploit?

    It appears to have a vulnerability.

    Does 2.3 fix this?

    Thank you,

  2. You'll have to be more specific, exactly what vulnerability are you talking about?

    I don't know of any working XSS vulnerability for 2.2.3, and I try to keep up with this sort of thing. So please be specific.

  3. whooami
    Member
    Posted 7 years ago #

  4. I don't see how that is legitimate, script tags get filtered out of comments if you're not a trusted user. So you can post "alert" all you like, it won't do anything. Script tags (along with most every other tag) are filtered out by kses.

  5. whooami
    Member
    Posted 7 years ago #

    preaching to the choir :)

  6. quotes
    Member
    Posted 7 years ago #

    @Otto42

    I am confused.

    Are you saying that this exploit did not happen?

    That is not true.

    Right now I am looking at dozens of sites that are running 2.2.3 and have been hacked.

  7. "Been hacked" is different than "WordPress 2.2.3 has a vulnerability". I can hack your site easily, if your permissions are wrong on the shared server and I gain access to the server through some other site.

    Just because a site is hacked doesn't mean that they went through WordPress to do it.

    Tell me what the vulnerability actually is. Otherwise, there isn't one.

    Also, an XSS vulnerability rarely leads to a site compromise. XSS is not generally used a lot by site hackers, they prefer SQL Injection.

  8. quotes
    Member
    Posted 7 years ago #

    They used the exact same exploit that they used to break into previous WordPress versions.

  9. whooami
    Member
    Posted 7 years ago #

    you know thats a crap answer, and its crap because as exploits have been made public, they've been fixed in the next versions.

    Consequently, you cannot say that.

    Not to mention your language "exact same exploit" ... absolute crap with a capital C

    you think you know something that someone else doesnt, here you go:

    security@wordpress.org

  10. They used the exact same exploit that they used to break into previous WordPress versions.

    And exactly what exploit would that be?

    Like I said, it's put up or shut up when it comes to exploits. Say exactly what the exploit is. "The same one" isn't actually saying anything, it just says that you really don't have any idea what you're talking about.

  11. mozey
    Member
    Posted 7 years ago #

    LOOOL!

  12. manojit
    Member
    Posted 7 years ago #

    With people like Otto42 and whooami holding the fort, I know I am not going to lose sleep over any real or imagined WP vulnerability :-)

Topic Closed

This topic has been closed to new replies.

About this Topic